https://blog.thym.at/tags/tarpit/Recent content in Tarpit on totoroot's blogHugo -- gohugo.ioen-usTue, 24 Feb 2026 23:20:00 +0200https://blog.thym.at/p/ssh-tarpit-endlessh-go/Tue, 24 Feb 2026 23:20:00 +0200https://blog.thym.at/p/ssh-tarpit-endlessh-go/<h1 id="ssh-tarpit-on-a-nixos-vps-endlessh-go-prometheus-and-a-quieter-auth-log">SSH Tarpit on a NixOS VPS: endlessh-go, Prometheus, and a quieter auth log </h1><h2 id="why-i-set-this-up">Why I set this up </h2><p>For no particular reason I looked at recent failed SSH logins on my Linux VPS which has a public IPv4 address.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sh" data-lang="sh"><span class="line"><span class="cl">λ sudo lastb -F </span></span></code></pre></div><p>I was astonished by the volume and the variety of usernames, e.g.:</p> <pre tabindex="0"><code>ubnt ssh:notty 80.94.95.116 Tue Feb 24 21:29:36 2026 - Tue Feb 24 21:29:36 2026 (00:00) operator ssh:notty 80.94.95.115 Tue Feb 24 21:19:42 2026 - Tue Feb 24 21:19:42 2026 (00:00) ... oracle ssh:notty 104.248.200.5 Sun Feb 1 00:00:21 2026 - Sun Feb 1 00:00:21 2026 (00:00) btmp begins Sun Feb 1 00:00:21 2026 </code></pre><h3 id="who-tried">Who tried? </h3><p>To be clear&hellip;noone besides a single user is allowed to login and authentication is only allowed passwordless through keys, so none of these failed attempts was me just misstyping my password when trying to clumsily <code>ssh</code>ing into my server.</p> <p>Since I only ever log in with a single user, I briefly considered adding a Fail2Ban jail that bans any SSH login attempt using a different username. I decided not to go with it (for now), but here’s the configuration I drafted:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-nix" data-lang="nix"><span class="line"><span class="cl"> <span class="n">environment</span><span class="o">.</span><span class="n">etc</span> <span class="o">=</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="o">...</span> </span></span><span class="line"><span class="cl"> <span class="c1"># SSH invalid-user jail (ban any user != me).</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;fail2ban/filter.d/sshd-invalid-user.conf&#34;</span><span class="o">.</span><span class="n">text</span> <span class="o">=</span> <span class="s1">&#39;&#39; </span></span></span><span class="line"><span class="cl"><span class="s1"> [Definition] </span></span></span><span class="line"><span class="cl"><span class="s1"> failregex = ^%(__prefix_line)sInvalid user (?!me\b).*$\n </span></span></span><span class="line"><span class="cl"><span class="s1"> ^%(__prefix_line)sFailed password for invalid user (?!me\b).*$\n </span></span></span><span class="line"><span class="cl"><span class="s1"> ^%(__prefix_line)sFailed publickey for invalid user (?!me\b).*$\n </span></span></span><span class="line"><span class="cl"><span class="s1"> ^%(__prefix_line)sUser not known to the underlying authentication module for user (?! </span></span></span><span class="line"><span class="cl"><span class="s1"> me\b).*$\n ignoreregex = </span></span></span><span class="line"><span class="cl"><span class="s1"> &#39;&#39;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">};</span> </span></span><span class="line"><span class="cl"> <span class="n">services</span><span class="o">.</span><span class="n">fail2ban</span> <span class="o">=</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">enable</span> <span class="o">=</span> <span class="no">true</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="o">...</span> </span></span><span class="line"><span class="cl"> <span class="n">jails</span> <span class="o">=</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="c1"># SSH invalid-user jail (ban any user != me).</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;sshd-invalid-user&#34;</span> <span class="o">=</span> <span class="s1">&#39;&#39; </span></span></span><span class="line"><span class="cl"><span class="s1"> enabled = true </span></span></span><span class="line"><span class="cl"><span class="s1"> filter = sshd-invalid-user </span></span></span><span class="line"><span class="cl"><span class="s1"> backend = systemd </span></span></span><span class="line"><span class="cl"><span class="s1"> journalmatch = _SYSTEMD_UNIT=sshd.service </span></span></span><span class="line"><span class="cl"><span class="s1"> maxretry = 1 </span></span></span><span class="line"><span class="cl"><span class="s1"> findtime = 600 </span></span></span><span class="line"><span class="cl"><span class="s1"> &#39;&#39;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">};</span> </span></span></code></pre></div><p>If I ever want to enforce “single‑user only” bans, this is the exact snippet I’d enable but for now I just kept my nginx-probing jail and filter.</p> <p>So next, I wanted to actually figure out who gave it a try. Therefore I then counted the most common usernames:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sh" data-lang="sh"><span class="line"><span class="cl">λ sudo lastb -F <span class="p">|</span> awk <span class="s1">&#39;{print $1}&#39;</span> <span class="p">|</span> sort <span class="p">|</span> uniq -c <span class="p">|</span> sort -nr <span class="p">|</span> head -n <span class="m">20</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="m">5165</span> admin </span></span><span class="line"><span class="cl"><span class="m">3387</span> user </span></span><span class="line"><span class="cl"><span class="m">3154</span> ubuntu </span></span><span class="line"><span class="cl"><span class="m">1400</span> debian </span></span><span class="line"><span class="cl"><span class="m">1337</span> thym </span></span><span class="line"><span class="cl"><span class="m">1333</span> oracle </span></span><span class="line"><span class="cl"><span class="m">1200</span> xnberwa* </span></span><span class="line"><span class="cl">... </span></span></code></pre></div><p>This pulls the username field from lastb, counts occurrences, and sorts them by frequency. It’s a fast way to see which default usernames bots try first (admin, ubuntu, user, etc.).</p> <p>I also turned the output into JSON so it was easy to post‑process with jq:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sh" data-lang="sh"><span class="line"><span class="cl">λ python3 - <span class="s">&lt;&lt;&#39;PY&#39; | jq </span></span></span><span class="line"><span class="cl"><span class="s">import subprocess, json </span></span></span><span class="line"><span class="cl"><span class="s">cmd = &#34;sudo lastb -F | awk &#39;{print $1}&#39; | sort | uniq -c | sort -nr&#34; </span></span></span><span class="line"><span class="cl"><span class="s">out = subprocess.check_output(cmd, shell=True, text=True) </span></span></span><span class="line"><span class="cl"><span class="s">data = [] </span></span></span><span class="line"><span class="cl"><span class="s">for line in out.splitlines(): </span></span></span><span class="line"><span class="cl"><span class="s">parts = line.strip().split(None, 1) </span></span></span><span class="line"><span class="cl"><span class="s">if len(parts) != 2: </span></span></span><span class="line"><span class="cl"><span class="s">continue </span></span></span><span class="line"><span class="cl"><span class="s">count, user = parts </span></span></span><span class="line"><span class="cl"><span class="s">data.append({&#34;user&#34;: user, &#34;count&#34;: int(count)}) </span></span></span><span class="line"><span class="cl"><span class="s">print(json.dumps(data)) </span></span></span><span class="line"><span class="cl"><span class="s">PY</span> </span></span></code></pre></div><p>Next I wanted to see the most active source IPs to figure out how often they had tried:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sh" data-lang="sh"><span class="line"><span class="cl">λ sudo lastb -F <span class="p">|</span> awk <span class="s1">&#39;{print $3}&#39;</span> <span class="p">|</span> sort <span class="p">|</span> uniq -c <span class="p">|</span> sort -nr <span class="p">|</span> head -n <span class="m">30</span> </span></span><span class="line"><span class="cl"> <span class="m">1776</span> 185.246.128.171 </span></span><span class="line"><span class="cl"> <span class="m">636</span> 193.32.162.151 </span></span><span class="line"><span class="cl"> <span class="m">627</span> 213.176.0.19 </span></span><span class="line"><span class="cl"> <span class="m">549</span> 80.94.92.186 </span></span><span class="line"><span class="cl"> <span class="m">429</span> 165.227.230.243 </span></span><span class="line"><span class="cl"> <span class="m">374</span> 218.23.120.71 </span></span><span class="line"><span class="cl"> <span class="m">374</span> 181.177.142.103 </span></span><span class="line"><span class="cl"> <span class="m">374</span> 178.21.164.139 </span></span><span class="line"><span class="cl"> <span class="m">374</span> 103.88.112.66 </span></span><span class="line"><span class="cl"> <span class="m">367</span> 64.227.79.57 </span></span><span class="line"><span class="cl"> <span class="m">350</span> 14.139.239.130 </span></span><span class="line"><span class="cl"> <span class="m">346</span> 89.187.7.147 </span></span><span class="line"><span class="cl"> <span class="m">346</span> 51.79.104.129 </span></span><span class="line"><span class="cl"> <span class="m">346</span> 34.124.164.19 </span></span><span class="line"><span class="cl"> <span class="m">346</span> 220.130.131.117 </span></span><span class="line"><span class="cl"> <span class="m">346</span> 185.79.158.198 </span></span><span class="line"><span class="cl"> <span class="m">346</span> 156.236.75.178 </span></span><span class="line"><span class="cl"> <span class="m">346</span> 123.58.212.100 </span></span><span class="line"><span class="cl"> <span class="m">346</span> 1.165.130.37 </span></span><span class="line"><span class="cl"> <span class="m">346</span> 112.203.69.83 </span></span><span class="line"><span class="cl"> <span class="m">346</span> 103.90.67.3 </span></span><span class="line"><span class="cl"> <span class="m">334</span> 2.57.122.238 </span></span><span class="line"><span class="cl"> <span class="m">334</span> 213.209.159.158 </span></span><span class="line"><span class="cl"> <span class="m">332</span> 27.155.92.28 </span></span><span class="line"><span class="cl"> <span class="m">330</span> 103.239.252.132 </span></span><span class="line"><span class="cl"> <span class="m">325</span> 220.194.79.36 </span></span><span class="line"><span class="cl"> <span class="m">282</span> 189.89.20.45 </span></span><span class="line"><span class="cl"> <span class="m">275</span> 134.209.182.177 </span></span><span class="line"><span class="cl"> <span class="m">274</span> 167.99.214.186 </span></span><span class="line"><span class="cl"> <span class="m">273</span> 193.32.162.145 </span></span></code></pre></div><p>This brought up an interesting detail: multiple IPs showed up with identical attempt counts (e.g. 346, 374).</p> <p>That likely hints at automated scanners or botnets:</p> <ul> <li>Rate‑limited scanners that stop after a fixed number of attempts</li> <li>Distributed scan batches where each node runs the same attempt list</li> <li>Cloud scanning fleets using uniform limits</li> </ul> <p>At that point I had seen enough. I decided to move real SSH off port 22 and place a tarpit there instead to detect these silly attempts and waste their time and compute.</p> <h2 id="what-i-did-high-level">What I did (high level) </h2><ul> <li>Moved real SSH away from port 22 to some obscure port</li> <li>Put endlessh‑go on port 22 as a tarpit</li> <li>Enabled Prometheus metrics for endlessh‑go</li> <li>Visualized the results in Grafana</li> </ul> <h2 id="why-endlesshgo">Why endlessh‑go? </h2><p>Classic endlessh is great, but endlessh‑go exposes Prometheus metrics. That means I can track how often port 22 is hit, how long connections stay open, and how many concurrent connections are active. Most importantly, I get a nice‑looking Grafana dashboard visualizing these Prometheus metrics and some sweet validation that the decision was indeed correct, as the internet has become a burning pile of trash and no open port is safe from unscrupulous beings trying to find a way onto your machine with its sweet public IP.</p> <h2 id="nixos-setup">NixOS setup </h2><h3 id="move-real-ssh-off-port-22">Move real SSH off port 22 </h3><p>I moved SSH to a non‑default port, and opened that port in the firewall:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-nix" data-lang="nix"><span class="line"><span class="cl"><span class="n">services</span><span class="o">.</span><span class="n">openssh</span> <span class="o">=</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">enable</span> <span class="o">=</span> <span class="no">true</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">ports</span> <span class="o">=</span> <span class="p">[</span> <span class="sr">&lt;OBSCURE_PORT&gt;</span> <span class="p">];</span> </span></span><span class="line"><span class="cl"> <span class="n">openFirewall</span> <span class="o">=</span> <span class="no">true</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="p">};</span> </span></span></code></pre></div><h3 id="run-endlesshgo-on-port-22-on-this-host">Run endlessh‑go on port 22 on this host </h3><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-nix" data-lang="nix"><span class="line"><span class="cl"><span class="n">services</span><span class="o">.</span><span class="n">endlessh-go</span> <span class="o">=</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">enable</span> <span class="o">=</span> <span class="no">true</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">listenAddress</span> <span class="o">=</span> <span class="s2">&#34;0.0.0.0&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">port</span> <span class="o">=</span> <span class="mi">22</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">openFirewall</span> <span class="o">=</span> <span class="no">true</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">prometheus</span> <span class="o">=</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">enable</span> <span class="o">=</span> <span class="no">true</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">};</span> </span></span><span class="line"><span class="cl"> <span class="n">extraOptions</span> <span class="o">=</span> <span class="p">[</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;-geo_ip_supplier=ip-api&#34;</span> </span></span><span class="line"><span class="cl"> <span class="p">];</span> </span></span><span class="line"><span class="cl"><span class="p">};</span> </span></span></code></pre></div><h3 id="prometheus-scrape-config">Prometheus scrape config </h3><p>The endlessh‑go module exposes Prometheus metrics, so I just added a scrape job (conditional on it being enabled):</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-nix" data-lang="nix"><span class="line"><span class="cl"><span class="p">(</span><span class="n">mkIf</span> <span class="p">(</span><span class="n">config</span><span class="o">.</span><span class="n">services</span><span class="o">.</span><span class="n">endlessh-go</span><span class="o">.</span><span class="n">enable</span> <span class="o">&amp;&amp;</span> <span class="n">config</span><span class="o">.</span><span class="n">services</span><span class="o">.</span><span class="n">endlessh-go</span><span class="o">.</span><span class="n">prometheus</span><span class="o">.</span><span class="n">enable</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">job_name</span> <span class="o">=</span> <span class="s2">&#34;endlessh-go&#34;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">static_configs</span> <span class="o">=</span> <span class="p">[{</span> </span></span><span class="line"><span class="cl"> <span class="n">targets</span> <span class="o">=</span> <span class="n">mkTargetsFor</span> <span class="n">config</span><span class="o">.</span><span class="n">services</span><span class="o">.</span><span class="n">endlessh-go</span><span class="o">.</span><span class="n">prometheus</span><span class="o">.</span><span class="n">port</span> </span></span><span class="line"><span class="cl"> <span class="p">(</span><span class="k">if</span> <span class="n">cfg</span><span class="o">.</span><span class="n">scrapeHosts</span> <span class="o">?</span> <span class="n">endlesshGo</span> <span class="k">then</span> <span class="n">cfg</span><span class="o">.</span><span class="n">scrapeHosts</span><span class="o">.</span><span class="n">endlesshGo</span> <span class="k">else</span> <span class="no">null</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="p">}];</span> </span></span><span class="line"><span class="cl"><span class="p">})</span> </span></span></code></pre></div><p>And for my VPS’s scrape hosts config:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-nix" data-lang="nix"><span class="line"><span class="cl"><span class="n">scrapeHosts</span> <span class="o">=</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="o">...</span> </span></span><span class="line"><span class="cl"> <span class="n">endlesshGo</span> <span class="o">=</span> <span class="p">[</span> <span class="s2">&#34;localhost&#34;</span> <span class="p">];</span> </span></span><span class="line"><span class="cl"> <span class="o">...</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></div><h2 id="grafana-dashboard">Grafana dashboard </h2><p>I used the official endlessh‑go dashboard from the endlessh-go project:</p> <p><a class="link" href="https://grafana.com/grafana/dashboards/15156-endlessh/" target="_blank" rel="noopener" >https://grafana.com/grafana/dashboards/15156-endlessh/</a></p> <p>It worked without any adaptations.</p> <p>(I’ll add a screenshot here later.)</p> <h2 id="closing-thoughts">Closing thoughts </h2><p>This was a small change with a noticeable impact:</p> <ul> <li>The auth log noise dropped</li> <li>Scanners now waste time and compute on a tarpit</li> <li>I get metrics to see the scale of the problem</li> </ul> <p>If you run any public server, I’d recommend doing the same.</p>