From debbugs-submit-bounces@debbugs.gnu.org Fri Sep 30 13:08:55 2022 Received: (at 39136) by debbugs.gnu.org; 30 Sep 2022 17:08:55 +0000 Received: from localhost ([127.0.0.1]:42828 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oeJVO-00058Y-ES for submit@debbugs.gnu.org; Fri, 30 Sep 2022 13:08:54 -0400 Received: from mx1.dismail.de ([78.46.223.134]:43699) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oeJVM-00058E-4U for 39136@debbugs.gnu.org; Fri, 30 Sep 2022 13:08:52 -0400 Received: from mx1.dismail.de (localhost [127.0.0.1]) by mx1.dismail.de (OpenSMTPD) with ESMTP id b1bcbc06; Fri, 30 Sep 2022 19:08:46 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=dismail.de; h=from:to:cc :subject:date:message-id:mime-version:content-type :content-transfer-encoding; s=20190914; bh=6rExRGHV+rkNfS7vfCoI2 Jkf0qPhceIpJni39TCgutA=; b=jcuzMmy3NBnzdjfepRP/pvdBJFUhdgp5OQ8w9 K/2NxOO+cr7qGxn/1yMnneHxE4eQ89YDl14IHRDmEhGVxRs8G/dzBq1S0Nti1ODd yKXy56gU3yfuJR+T5Q2drxCG6eiEZWVK/VXtsXtl0P6svbWGYEhRB3NGmsxLkSI8 qH+gypp73cq5iyuFJq1qxWwQgn6Of4J7RpcLh0gbriSCGlivqw8vkLNmYJ3n7u7W scoaF8qU8ZmlLBnbI6NUedIyZhiVupVaEBygskqvxCec/jUJg/56lLAbrOrK3dND QAkb9CC+RNMsGyi23G8rJQdafOLW7BN4oyvbjXxi9fIM8tWVw== Received: from smtp2.dismail.de ( [10.240.26.12]) by mx1.dismail.de (OpenSMTPD) with ESMTP id 74520a27; Fri, 30 Sep 2022 19:08:45 +0200 (CEST) Received: from smtp2.dismail.de (localhost [127.0.0.1]) by smtp2.dismail.de (OpenSMTPD) with ESMTP id fa4e56ec; Fri, 30 Sep 2022 19:08:45 +0200 (CEST) Received: by dismail.de (OpenSMTPD) with ESMTPSA id 58f8398c (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO); Fri, 30 Sep 2022 19:08:44 +0200 (CEST) From: Joshua Branson To: 39136@debbugs.gnu.org Subject: [PATCH] * gnu: endlessh: new service Date: Fri, 30 Sep 2022 13:08:36 -0400 Message-Id: <20220930170836.26828-1-jbranso@dismail.de> X-Mailer: git-send-email 2.37.3 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Score: 1.3 (+) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Nicolò Balzarotti * gnu/services/ssh.scm: Add endlessh service endlessh-configuration>): New record type. (endlessh-config->conf, endlessh-shepherd-service, endlessh-service-type): New procedures. Content analysis details: (1.3 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at https://www.dnswl.org/, low trust [78.46.223.134 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 2.0 PDS_OTHER_BAD_TLD Untrustworthy TLDs [URI: nixo.xyz (xyz)] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Debbugs-Envelope-To: 39136 Cc: ludo@gnu.org, =?UTF-8?q?Nicol=C3=B2=20Balzarotti?= X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.3 (/) From: Nicolò Balzarotti * gnu/services/ssh.scm: Add endlessh service endlessh-configuration>): New record type. (endlessh-config->conf, endlessh-shepherd-service, endlessh-service-type): New procedures. * doc/guix.texi: added documnetation for the endlessh service. --- doc/guix.texi | 60 ++++++++++++++++++++++++++++++++++++ gnu/services/ssh.scm | 73 ++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 133 insertions(+) diff --git a/doc/guix.texi b/doc/guix.texi index 99f8ba6c54..9a1e2801dd 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -20393,6 +20393,66 @@ may cause undefined behaviour. @end table @end deftp +@cindex Endlessh +@deffn {Scheme Variable} endlessh-service-type +This is the type for the @uref{https://github.com/skeeto/endlessh, +Endlessh} service, which is an ssh tarbit. It delays ssh clients for +days at a time by @emph{very slowly} sending a random and endless SSH +banner. The smart hacker will run endlessh on port 22, and let crackers +get stuck in this tarpit. This lets your real ssh server run more +securely on a non-standard port. + +For example: + +@lisp +(service endlessh-service-type + (endlessh-configuration + (port-number 22))) +@end lisp + +@end deffn + +@deftp {Data Type} endlessh-configuration +Data type representing the configuration for @code{endlessh-service}. +@table @asis +@item @code{package} (default: @var{endlessh}) +@code{endlessh} package to use. + +@item @code{bind-family} (default: @code{'(ipv4 ipv6)}) +This specifies if endlessh should use ipv4 and/or ipv6. + +@item @code{delay} (default: @code{10000}) +The endless banner is sent one line at a time. This is the delay +in milliseconds between individual lines. + +@item @code{length} (default: @code{32}) +The length of each line is randomized. This controls the maximum length +of each line. Shorter lines may keep clients on for longer if they give +up after a certain number of bytes. + +@item @code{max-clients} (default: @code{4096}) +Maximum number of connections to accept at a time. Connections beyond +this are not immediately rejected, but will wait in the queue. + +@item @code{port-number} (default: @code{2222}) +The port on which to listen for new SSH connections. Most users who +want to use endlessh as intended should set this port number to +@code{22}. + +@item @code{log-level} (default: @code{0}) +Set the detail level for the log. +@table @asis +@item 0 = Quiet +@item 1 = Standard, useful log messages +@item 2 = Very noisy debugging information +@end table + +@item @code{syslog} (default: @code{#f}) +Print diagnostics to syslog instead of standard output + +@end table +@end deftp + @cindex WebSSH @deffn {Scheme Variable} webssh-service-type This is the type for the @uref{https://webssh.huashengdun.org/, WebSSH} diff --git a/gnu/services/ssh.scm b/gnu/services/ssh.scm index 72e7183590..2e547b63cd 100644 --- a/gnu/services/ssh.scm +++ b/gnu/services/ssh.scm @@ -58,6 +58,10 @@ (define-module (gnu services ssh) autossh-configuration? autossh-service-type + endlessh-configuration + endlessh-configuration? + endlessh-service-type + webssh-configuration webssh-configuration? webssh-service-type @@ -802,6 +806,75 @@ (define autossh-service-type autossh-service-activation))) (default-value (autossh-configuration)))) + +;;; +;;; Endlessh. +;;; + +(define-record-type* + endlessh-configuration make-endlessh-configuration + endlessh-configuration? + ;; list of two symbols, allowed values are ipv4, ipv6 or both + (bind-family endlessh-configuration-bind-family (default '(ipv4 ipv6))) + ;; integer + (delay endlessh-configuration-delay (default 10000)) + ;; integer + ;; Must be in the range + (length endlessh-configuration-length (default 32)) + ;; integer + (max-clients endlessh-configuration-max-clients (default 4096)) + ;; integer + (port-number endlessh-configuration-port-number (default 2222)) + ;; integer + ;; Allowed values are 0, 1 and 2 + (log-level endlessh-configuration-log-level (default 0))) + +(define (endlessh-config->conf config) + "Convert the CONFIG of type to a config file." + (let* ((family (endlessh-configuration-bind-family config)) + (ipv4 (member 'ipv4 family)) + (ipv6 (member 'ipv6 family)) + (port (endlessh-configuration-port-number config)) + (delay (endlessh-configuration-delay config)) + (length (endlessh-configuration-length config)) + (log-level (endlessh-configuration-log-level config)) + (max-clients (endlessh-configuration-max-clients config)) + (bind + ;; check if both are true (0), or only one of them is present + (if (not (and (equal? ipv4 ipv6) ipv4)) + (if ipv4 4 + (if ipv6 6 + (throw 'endlessh-error + "bind-family must contain at least one value"))) + 0))) + (mixed-text-file "endlessh.conf" + "# Generated by 'endlessh-config'.\n\n" + "Port " (number->string port) "\n" + "Delay " (number->string delay) "\n" + "MaxLineLength " (number->string length) "\n" + "MaxClients " (number->string max-clients) "\n" + "LogLevel " (number->string log-level) "\n" + "BindFamily " (number->string bind) "\n"))) + +(define (endlessh-shepherd-service config) + (shepherd-service + (documentation "Run endlessh tarpit server.") + (provision '(endlessh)) + (start #~(make-forkexec-constructor + (list #$(file-append endlessh "/bin/endlessh") + "-f" #$(endlessh-config->conf config)))) + (stop #~(make-kill-destructor)))) + +(define endlessh-service-type + (service-type + (name 'endlessh) + (description "Run endlessh tarpit server.") + (extensions + (list (service-extension shepherd-root-service-type + (compose list endlessh-shepherd-service)))) + (default-value (endlessh-configuration)))) + + ;;; ;;; WebSSH -- 2.37.3