Stop SSH bruteforce with endlessh

Endlessh is an open source SSH trapit. It send slow random banner string to attacker, wasting their time.

Before you install endlessh, you need to change your SSH port to a higher non default port. To do this edit

vi /etc/ssh/sshd_config

Find

Port 22

Replace with

Port YOUR_NEW_PORT_HERE

If the line is commented with #, uncomment it.

Now you can install endlessh with

cd /usr/local/src
git clone https://github.com/skeeto/endlessh
cd /usr/local/src/endlessh
make
cp endlessh /usr/local/bin
cp /usr/local/src/endlessh/util/endlessh.service /etc/systemd/system/

By default endlessh run on port 2222. To change it to port 22, edit file

vi /etc/systemd/system/endlessh.service

Find

#AmbientCapabilities=CAP_NET_BIND_SERVICE

Replace with

AmbientCapabilities=CAP_NET_BIND_SERVICE

Find

PrivateUsers=true

Replace with

#PrivateUsers=true

Run

setcap 'cap_net_bind_service=+ep' /usr/local/bin/endlessh

Create endlessh configuration file

vi /etc/endlessh/config

Add following content

Port 22
Delay 10000
MaxLineLength 32
MaxClients 4096
LogLevel 0
BindFamily 0

If you need to enable log, set LogLevel to 1.

Enable and restart endlessh

systemctl enable endlessh
systemctl start endlessh

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *