Use of endlessh, and hence what is the socket limit on a 1GB Nanode?
As you all probably know, we see an unholy frequency of SSH login attempts. While I'm perfectly happy that I've secured my server, I'd very much like to run endlessh and tie up these bots for the good of everyone. This would slow them down and reduce the number of insecure servers getting hijacked.
For anyone who is unfamiliar with endlessh, it's a lightweight C program that feeds a very slow, low bandwidth, endless banner to any bad faith SSH connection attempts. Since banners don't have a timeout, and are sent before key exchange, this consumes very few resources and usefully ties up malicious clients, i.e. it's a tarpit.
My question is, since I'll likely end up with several hundred sockets tied up this way, how many are we allowed, and how are the physical hosts configured? If I used up a large number of virtual sockets, am I actually running the risk of starving the physical host of resources, at the expense of other users? That is obviously something I would like to avoid.
If we can use this without issues, I'd welcome other users to check it out and perhaps spread the load, since those of us who do run it will end up siphoning off some of the bad actors from everyone else's accounts.
Thanks in advance.
5 Replies
caker
Linode Staff
✓ Best Answer
Hi,
The only upper limit would be the RAM available to the kernel, and the kernel sysctl settings for tcp session limits. The host and our internal networking wouldn't be affected by this at all - as only your Linode and the remote host is involved the TCP sessions. Thanks for your concern to be a good neighbor, though.
Happy hunting,
-Chris
Generally what I’ve used to help prevent ssh login attempts is doing the following:
- Disable root login
- Use a certificate for password-less login
- Use fail2ban to block continued failed attempts
Thanks Lou. I appreciate the reply, though with respect it doesn't relate to the question. My server is secure; my intention is to tie up some of the malicious bots and scripts, so that they don't infect other people's (possibly not yet secured) servers. Many of these bots stall when they encounter a responsive ssh listener, and this means they can be taken out of circulation and the herd thinned, at least for a time.
I'm asking this here because Linodes share physical resources. If, for the sake of argument, a Linode were allowed 16384 connected sockets and this was known not to impact other servers or network switches, then I'd simply do it and tune things based solely on how they affect my own server. I doubt this is the case though.
(On a separate note, I believe sshguard is a better option than fail2ban, since it's more performant and uses far less memory. To keep this on topic though, I plan to start a new thread addressing that.)
@cytrus writes:
(On a separate note, I believe sshguard is a better option than fail2ban, since it's more performant and uses far less memory. To keep this on topic though, I plan to start a new thread addressing that.)
fail2ban can handle far more than just ssh. I use it to ban (postfix) mail system and web server abusers as well as ssh. It has built in stuff for many different kinds of mail servers, ftp, etc.
fail2ban's built in filters can be somewhat brittle and the docs assume that you're a Python guru in order to write new filters and actions (which I'm not by any means…I've been able to do simple stuff but nothing very sophisticated because I don't know anything about Python).
-- sw
@caker Thanks Chris; this is exactly what I wanted to know. I'll probably spin up a fresh node to test this. I suspect ultimately I will need to modify endlessh though, since I'd still like those IPs blocked on all other ports, and I'm not sure that's achievable with the current code.
@stevewi Thanks Steve. I think fail2ban does have the edge where configurability is concerned, otherwise sshguard looks pretty similar as far as I can tell. The docs and changelogs suggest sshguard supports ssh, postfix, dovecot, exim, opensmtpd, sendmail, cucipop, cockpit, wordpress, courier IMAP/POP, OpenVPN, Cyrus IMAP, vsftpd, ProFTPd, pure-ftp, and UWimap. (I suspect a few of those are dead projects by now though.) Sadly, it looks like custom signature support is missing. In my case I'd be happy to implement my own signatures code and recompile given that I'm a C programmer by profession, and this would let me keep Python out of the equation.
My problem with fail2ban is that it is bloated and comparatively slow, and can swallow large amounts of RAM. On a fresh Linode with only sshd accepting connections, I found fail2ban already consuming ~100MB on its own. (Measured by observing total memory consumption with and without it running. For context, this was considerably more than NGINX.) This usage appears to grow, the more services it is monitoring and intervening on, so it's hard to justify on a 1GB Nanode. Since its only real job is parsing text entries and adding iptables rules, it just doesn't seem like a very credible piece of software. By contrast, sshguard doesn't appear to measurably increase memory load in my experience so far. (I'll certainly come back and edit this if that ever changes though. I have yet to use it on a production server, after all.)
Sorry for a rant there.