endlessh VS opencanary

You can reduce the noise a lot by moving ssh to a non standard port. Security through obscurity isn't actually security, but it will reduce the number of attempts you receive. Another thing I like to do is put Endlessh on the standard port 22. That way as bots go by they will get stuck or at least slow down on that connection.

SSH tarpit with Endlessh and for the hidden SSH: auth with both a key files (that need unlocking and is on the computer) AND an One Time Password on my phone.

If you change the ssh port, install https://github.com/skeeto/endlessh to slow down the attackers

Even this requires you to successfully guess the username and password correctly, and if it's just not the default most people won't bother brute forcing further. Sidenote: you can use endlessh on a computer and port forward port 22 to trap scanners that scan the entire internet for open ssh ports to exploit.

The fun way is moving your ssh port somewhere else and installing endlessh to f the bots.

Such as endlessh

But, as a prank to Chinese hackers, what I did on my system was to run endless ssh. It keeps the ssh client busy as it slowly sends the ssh banner. I modified the code to send strings like:

For hardening: I use lynis for some guidance, the VPS runs rkhunter, AIDE and other things nightly and mails me the reports, fail2ban manages the SSH port, having SSH on a custom port helps to keep things quiet. If you're into these kind of things, have a look at the Endlessh tarpit to learn about login attempts on port 22 on your machine - I found it eye-opening.

Thinkst has an open source version of their commercial product called opencanary that is popular and that I also personally vouch for.

Totally forgot to include the link. https://github.com/thinkst/opencanary

At the start its worth noting, that if you deploy Canaries (our paid version of the free version we build at opencanary.org) you get the fidelity of alert you want. ie. you get to run a fake fileshare with files you want on it. Anytime the file is opened, you get a notification (since you effectively are the host offering the file).

Have you tried the Dockerfiles and compose from this repo https://github.com/thinkst/opencanary ?

I setup open canary. Not exactly the same thing obviously but it was pretty easy to setup and confirm working. I hope anyone that gains access tries to connect to it and gives me a notification via email. No guarantees obviously and I'm not an expert so open to feedback how people think about these things.

Opencanary Get out https://github.com/thinkst/opencanary for details on this. Run the following for download and installation: sudo apt-get update && sudo apt-get upgrade -y sudo apt install git -y sudo apt-get install build-essential libssl-dev libffi-dev python-dev -y sudo apt-get install python3-pip -y git clone https://github.com/thinkst/opencanary cd opencanary sudo python3 setup.py install Now generate a config file. opencanaryd --copyconfig Now edit the new conf file: vim .opencanary.conf Make sure to keep proper JSON formatting or the OpenCanary service won't start. I used jq to validate that the JSON file is good to go! If there are issues it will help you quickly identify them. If you need more information around using or installing jq please visit https://stedolan.github.io/jq/download/ { "device.node_id": "opencanary-1", "ip.ignorelist": [ ], "git.enabled": false, "git.port" : 9418, "ftp.enabled": true, "ftp.port": 21, "ftp.banner": "FTP server ready", "http.banner": "Apache/2.2.22 (Ubuntu)", "http.enabled": false, "http.port": 80, "http.skin": "nasLogin", "http.skin.list": [ { "desc": "Plain HTML Login", "name": "basicLogin" }, { "desc": "Synology NAS Login", "name": "nasLogin" } ], "httpproxy.enabled" : false, "httpproxy.port": 8080, "httpproxy.skin": "squid", "httproxy.skin.list": [ { "desc": "Squid", "name": "squid" }, { "desc": "Microsoft ISA Server Web Proxy", "name": "ms-isa" } ], "logger": { "class": "PyLogger", "kwargs": { "formatters": { "plain": { "format": "%(message)s" }, "syslog_rfc": { "format": "opencanaryd[%(process)-5s:%(thread)d]: %(name)s %(levelname)-5s %(message)s" } }, "handlers": { "console": { "class": "logging.StreamHandler", "stream": "ext://sys.stdout" }, "file": { "class": "logging.FileHandler", "filename": "/var/tmp/opencanary.log" }, "syslog-unix": { "class": "logging.handlers.SysLogHandler", "formatter":"syslog_rfc", "address": [ "localhost", 514 ], "socktype": "ext://socket.SOCK_DGRAM" }, "json-tcp": { "class": "opencanary.logger.SocketJSONHandler", "host": "127.0.0.1", "port": 1514 }, "SMTP": { "class": "logging.handlers.SMTPHandler", "mailhost": ["smtp.yourserver.com", 25], "fromaddr": "[email protected]", "toaddrs" : ["[email protected]"], "subject" : "OpenCanary Alert", "credentials" : ["youraddress", "SecureStrongpass"], "secure" : [] }, "slack":{ "class":"opencanary.logger.SlackHandler", "webhook_url":"https://hooks.slack.com/services/..." }, "teams": { "class": "opencanary.logger.TeamsHandler", "webhook_url":"https://my-organisation.webhook.office.com/webhookb2/..." } } } }, "portscan.enabled": false, "portscan.logfile":"/var/log/kern.log", "portscan.synrate": 5, "portscan.nmaposrate": 5, "portscan.lorate": 3, "smb.auditfile": "/var/log/samba-audit.log", "smb.enabled": false, "mysql.enabled": false, "mysql.port": 3306, "mysql.banner": "5.5.43-0ubuntu0.14.04.1", "ssh.enabled": false, "ssh.port": 22, "ssh.version": "SSH-2.0-OpenSSH_5.1p1 Debian-4", "redis.enabled": false, "redis.port": 6379, "rdp.enabled": false, "rdp.port": 3389, "sip.enabled": false, "sip.port": 5060, "snmp.enabled": false, "snmp.port": 161, "ntp.enabled": false, "ntp.port": "123", "tftp.enabled": false, "tftp.port": 69, "tcpbanner.maxnum":10, "tcpbanner.enabled": false, "tcpbanner_1.enabled": false, "tcpbanner_1.port": 8001, "tcpbanner_1.datareceivedbanner": "", "tcpbanner_1.initbanner": "", "tcpbanner_1.alertstring.enabled": false, "tcpbanner_1.alertstring": "", "tcpbanner_1.keep_alive.enabled": false, "tcpbanner_1.keep_alive_secret": "", "tcpbanner_1.keep_alive_probes": 11, "tcpbanner_1.keep_alive_interval":300, "tcpbanner_1.keep_alive_idle": 300, "telnet.enabled": false, "telnet.port": "23", "telnet.banner": "", "telnet.honeycreds": [ { "username": "admin", "password": "$pbkdf2-sha512$19000$bG1NaY3xvjdGyBlj7N37Xw$dGrmBqqWa1okTCpN3QEmeo9j5DuV2u1EuVFD8Di0GxNiM64To5O/Y66f7UASvnQr8.LCzqTm6awC8Kj/aGKvwA" }, { "username": "admin", "password": "admin1" } ], "mssql.enabled": false, "mssql.version": "2012", "mssql.port":1433, "vnc.enabled": false, "vnc.port":5000 } $ . env/bin/activate $ opencanaryd --start If everything worked you should have some emails or slack messages alerting you to the startup of the services. Over time, depending on what you enabled, you will receive alerts for port scans, or other attempts. Please visit this document which covers in more detail OpenCanary, https://buildmedia.readthedocs.org/media/pdf/opencanary/latest/opencanary.pdf Slack channel for Opencanary Alerts, set up incoming webhooks. https://slack.com/help/articles/115005265063-Incoming-webhooks-for-Slack https://slack.com/help/articles/115005265063-Incoming-webhooks-for-Slack

Here's a good and free tip: A unique password breached can be turned around to better know your enemy. Set-up a canary honeypot and monitor your environment for it:

See https://github.com/thinkst/opencanary