6.6 KiB
6.6 KiB
| title | description | sidebar_label | slug | githubLocation | scriptLocation | repoLocation |
|---|---|---|---|---|---|---|
| Endlessh Configuration | This script configures Endlessh by applying the configuration stored in `${XDG_DATA_HOME:-$HOME/.ssh}/endlessh/config` if the `endlessh` application is available | 30 Endlessh Configuration | /scripts/after/run_onchange_after_30-endlessh.sh.tmpl | https://github.com/megabyte-labs/install.doctor/blob/master/home/.chezmoiscripts/universal/run_onchange_after_30-endlessh.sh.tmpl | https://github.com/megabyte-labs/install.doctor/raw/master/home/.chezmoiscripts/universal/run_onchange_after_30-endlessh.sh.tmpl | home/.chezmoiscripts/universal/run_onchange_after_30-endlessh.sh.tmpl |
Endlessh Configuration
This script configures Endlessh by applying the configuration stored in ${XDG_DATA_HOME:-$HOME/.ssh}/endlessh/config if the endlessh application is available
Overview
Endlessh is a endless SSH tarpit that slowly shows an infinitely long SSH welcome banner on the default SSH port. It is intended to break unsophisticated malware that targets SSH.
If the endlessh program is installed, this script applies the configuration stored in home/private_dot_ssh/endlessh/config.tmpl
(that unpacks with Chezmoi to ~/.ssh/endlessh/config) to the system location and then starts the service.
Note: This script runs under the assumption that the actual SSH port which is defined in home/.chezmoidata.yaml
is assigned to a non-standard port like 2214. This allows the default port to be used for endlessh.
Links
Source Code
{{- if eq .host.distro.family "linux" -}}
#!/usr/bin/env bash
# @file Endlessh Configuration
# @brief Applies the Endlessh configuration and starts the service on Linux systems
# @description
# Endlessh is a endless SSH tarpit that slowly shows an infinitely long SSH welcome banner on the default
# SSH port. It is intended to break unsophisticated malware that targets SSH.
#
# If the `endlessh` program is installed, this script applies the configuration stored in `home/private_dot_ssh/endlessh/config.tmpl`
# (that unpacks with Chezmoi to `~/.ssh/endlessh/config`) to the system location and then starts the service.
#
# **Note:** _This script runs under the assumption that the actual SSH port which is defined in `home/.chezmoidata.yaml`
# is assigned to a non-standard port like 2214. This allows the default port to be used for `endlessh`._
#
# ## Links
#
# * [Endlessh GitHub repository](https://github.com/skeeto/endlessh)
# * [Endlessh configuration](https://github.com/megabyte-labs/install.doctor/blob/master/home/private_dot_ssh/endlessh/config.tmpl)
# @file Endlessh Configuration
# @brief This script configures Endlessh by applying the configuration stored in `${XDG_DATA_HOME:-$HOME/.ssh}/endlessh/config` if the `endlessh` application is available
# @description
# This script applies the Endlessh configuration stored in `${XDG_DATA_HOME:-$HOME/.ssh}/endlessh/config` if endlessh is installed.
# Endlessh is and SSH Tarpit configured to listen for incoming connection on the given port and respond slowly with a random, endless SSH banner. To protect the real server,
# configure Endlessh to listen on the default SSH port (22), while the real server listens to a different port.
#
# ## Configuration Variables
#
# The following chart details the input variable(s) that are used to determine the configuration of the endlessh:
#
# | Variable | Description |
# |-----------------|------------------------------------------------------------|
# | `endlesshPort` | The port that endlessh listens to for incoming connections |
#
# ## Links
#
# * [Default Endlessh configuration](https://github.com/megabyte-labs/install.doctor/tree/master/home/private_dot_ssh/endlessh/config.tmpl)
# * [Secrets / Environment variables documentation](https://install.doctor/docs/customization/secrets)
# endlessh config hash: {{- include (joinPath .host.home ".ssh" "endlessh" "config") | sha256sum -}}
{{ includeTemplate "universal/profile" }}
{{ includeTemplate "universal/logg" }}
### Configures endlessh service
function configureEndlessh() {
### Update the service configuration file
logg info 'Updating endlessh service configuration file'
sudo sed -i 's/^.*#AmbientCapabilities=CAP_NET_BIND_SERVICE/AmbientCapabilities=CAP_NET_BIND_SERVICE/' /usr/lib/systemd/system/endlessh.service
sudo sed -i 's/^.*PrivateUsers=true/#PrivateUsers=true/' /usr/lib/systemd/system/endlessh.service
logg info 'Reloading systemd'
sudo systemctl daemon-reload
### Update capabilities of `endlessh`
logg info 'Updating capabilities of endlessh'
sudo setcap 'cap_net_bind_service=+ep' /usr/bin/endlessh
### Restart / enable Endlessh
logg info 'Enabling the endlessh service'
sudo systemctl enable endlessh
logg info 'Restarting the endlessh service'
sudo systemctl restart endlessh
}
### Update /etc/endlessh/config if environment is not WSL
if [[ ! "$(test -d proc && grep Microsoft /proc/version > /dev/null)" ]]; then
if command -v endlessh > /dev/null; then
if [ -d /etc/endlessh ]; then
logg info 'Copying ~/.ssh/endlessh/config to /etc/endlessh/config'
sudo cp -f "$HOME/.ssh/endlessh/config" /etc/endlessh/config
configureEndlessh || CONFIGURE_EXIT_CODE=$?
if [ -n "$CONFIGURE_EXIT_CODE" ]; then
logg error 'Configuring endlessh service failed' && exit 1
else
logg success 'Successfully configured endlessh service'
fi
elif [ -f /etc/endlessh.conf ]; then
logg info 'Copying ~/.ssh/endlessh/config to /etc/endlessh.conf'
sudo cp -f "$HOME/.ssh/endlessh/config" /etc/endlessh.conf
configureEndlessh || CONFIGURE_EXIT_CODE=$?
if [ -n "$CONFIGURE_EXIT_CODE" ]; then
logg error 'Configuring endlessh service failed' && exit 1
else
logg success 'Successfully configured endlessh service'
fi
else
logg warn 'Neither the /etc/endlessh folder nor the /etc/endlessh.conf file exist'
fi
else
logg info 'Skipping Endlessh configuration because the endlessh executable is not available in the PATH'
fi
else
logg info 'Skipping Endlessh configuration since environment is WSL'
fi
{{ end -}}