Message ID | 874kwx91k6.fsf@guixSD.i-did-not-set--mail-host-address--so-tickle-me |
---|---|
State | Under Review |
Headers | show |
Series | [bug#39136] gnu: services: Add endlessh. | expand |
Context | Check | Description |
---|---|---|
cbaines/applying patch | fail | Apply failed |
Hi, That patch was forgotten for some reason, but we still have a succeeded to build ‘endlessh’ package which missing a service! :-) anothersms@gmail.com (Nicolò Balzarotti) writes: > This is my first service :) I know I still miss documentation and tests, > but before diving into it I wanted a general feedback on it (so that if > we decide to change something I don't have to adjust the docs and the > tests twice). Tests are appreciated ;-) > Endlessh is already in the repo, but for those who don't know: it's a > fake ssh server; it should be used to prevent bruteforce attacks and the > like by "freezing" the connection on the standard port (while the real > ssh server is on another non-standard port). So, I don't know if as > default port should be 22 or, as it is now, 2222 (program's default). 2222 is OK. But we need this be documented in ‘doc/guix.texi’. Could you take a look on this, please? > My second doubt is regarding the place; it's an ssh server, but its main > purpose is for security? Maybe should go under admin.scm? I'm not sure I think gnu/services/ssh.scm is good. […] > +(define-record-type* <endlessh-configuration> > + endlessh-configuration make-endlessh-configuration > + endlessh-configuration? > + ;; list of two symbols, allowed values are ipv4, ipv6 or both > + (bind-family endlessh-configuration-bind-family (default '(ipv4 ipv6))) Please, move ‘(default …)’ things on a separate line. […] Otherwise LGTM. Could you send an update with a documented service? Thanks, Oleg.
So I've been working on this endlessh service for a while. I believe it could be better, but perfectionist can only do one thing perfectly: nothing. So I've submitted the above patch series. Let me know if it needs more work. At the moment, I believe that endlessh runs as root. It would be nice to let it run as user nobody or something like that. The endlessh systemd file provides an example of how to do that: https://github.com/skeeto/endlessh/blob/master/util/endlessh.service ## If you want Endlessh to bind on ports < 1024 ## 1) run: ## setcap 'cap_net_bind_service=+ep' /usr/local/bin/endlessh ## 2) uncomment following line #AmbientCapabilities=CAP_NET_BIND_SERVICE ## 3) comment following line PrivateUsers=true Though setcap 'cap_net_bind_service=+ep' is linux specific. And I'm not certain if guix has a method for running setcap on items in the store. Those are just some relevant thoughts for improving the service! Thanks!
Hello! I just submitted a patch series for an endlessh service! However, issues.guix.gnu.org/39136 does not properly show the patch series. :( Maybe I just submitted the patch series incorrectly. :) You can see the patch series here: https://lists.gnu.org/archive/html/guix-patches/2021-03/msg00672.html And via M-x debbugs-gnu-bugs RET 39136 RET I'm not certain what the issue is... This is the command that I used to send the patch series. #+BEGIN_SRC sh git send-email --to=39136@debbugs.gnu.org HEAD~2 #+END_SRC Thanks! Your friend, Joshua
Ping for Oleg! Thanks! Joshua P.S. I forget to include your email in the patch series. I know the patch series could be better, but I figured I'd rather submit something rather than nothing. Thanks!
Hello, I failed to test endlessh with "services: containerized endlessh" patch in a virtual machine. Unfortunately at the moment I'm not familiar with ‘make-forkexec-constructor/container’ machinery, and have no idea about that causing the issue of boot hang. Failed VM config in attachment. I succeeded to test without "services: containerized endlessh". If wish to fix a problem, ping me then you done. Otherwise I could push a working version without containerization. Thanks, Oleg.
Oleg Pykhalov <go.wigust@gmail.com> writes: > Hello, > > I failed to test endlessh with "services: containerized endlessh" patch > in a virtual machine. Unfortunately at the moment I'm not familiar with > ‘make-forkexec-constructor/container’ machinery, and have no idea about > that causing the issue of boot hang. Failed VM config in attachment. > > > > > I succeeded to test without "services: containerized endlessh". If wish > to fix a problem, ping me then you done. Otherwise I could push a > working version without containerization. Oh, I suppose that I will try to get containerization working on this service. I'd prefer to have it containerized, since it is running as root. Thanks! > > Thanks, > Oleg. > -- Joshua Branson (joshuaBPMan in #guix) Sent from Emacs and Gnus https://gnucode.me https://video.hardlimit.com/accounts/joshua_branson/video-channels https://propernaming.org "You can have whatever you want, as long as you help enough other people get what they want." - Zig Ziglar
Hello, Joshua Branson <jbranso@dismail.de> writes: > Oleg Pykhalov <go.wigust@gmail.com> writes: > >> Hello, >> >> I failed to test endlessh with "services: containerized endlessh" patch >> in a virtual machine. Unfortunately at the moment I'm not familiar with >> ‘make-forkexec-constructor/container’ machinery, and have no idea about >> that causing the issue of boot hang. Failed VM config in attachment. >> >> >> >> >> I succeeded to test without "services: containerized endlessh". If wish >> to fix a problem, ping me then you done. Otherwise I could push a >> working version without containerization. > > Oh, I suppose that I will try to get containerization working on this > service. I'd prefer to have it containerized, since it is running as > root. This was 2 years ago :-). Any update?
August 31, 2023 10:37 PM, "Maxim Cournoyer" <maxim.cournoyer@gmail.com> wrote: > Hello, > > Joshua Branson <jbranso@dismail.de> writes: > >> Oleg Pykhalov <go.wigust@gmail.com> writes: >> >>> Hello, >>> >>> I failed to test endlessh with "services: containerized endlessh" patch >>> in a virtual machine. Unfortunately at the moment I'm not familiar with >>> ‘make-forkexec-constructor/container’ machinery, and have no idea about >>> that causing the issue of boot hang. Failed VM config in attachment. >>> >>> I succeeded to test without "services: containerized endlessh". If wish >>> to fix a problem, ping me then you done. Otherwise I could push a >>> working version without containerization. >> >> Oh, I suppose that I will try to get containerization working on this >> service. I'd prefer to have it containerized, since it is running as >> root. > > This was 2 years ago :-). Any update? If you are ok with a non-containerized endlessh, then I can submit a patch adding that. Endlessh works on guix system, but I was not able to get the containerized version working. > > -- > Thanks, > Maxim
Hello, jbranso@dismail.de writes: > August 31, 2023 10:37 PM, "Maxim Cournoyer" <maxim.cournoyer@gmail.com> wrote: > >> Hello, >> >> Joshua Branson <jbranso@dismail.de> writes: >> >>> Oleg Pykhalov <go.wigust@gmail.com> writes: >>> >>>> Hello, >>>> >>>> I failed to test endlessh with "services: containerized endlessh" patch >>>> in a virtual machine. Unfortunately at the moment I'm not familiar with >>>> ‘make-forkexec-constructor/container’ machinery, and have no idea about >>>> that causing the issue of boot hang. Failed VM config in attachment. >>>> >>>> I succeeded to test without "services: containerized endlessh". If wish >>>> to fix a problem, ping me then you done. Otherwise I could push a >>>> working version without containerization. >>> >>> Oh, I suppose that I will try to get containerization working on this >>> service. I'd prefer to have it containerized, since it is running as >>> root. >> >> This was 2 years ago :-). Any update? > > If you are ok with a non-containerized endlessh, then I can submit a patch > adding that. Endlessh works on guix system, but I was not able to get > the containerized version working. If you could make a system test to go with it, that'd be super! We can always refine later with regard to containerization.
From 63f975ec47de8ab951beaac6781327faf06d0cac Mon Sep 17 00:00:00 2001 From: nixo <nicolo@nixo.xyz> Date: Tue, 14 Jan 2020 22:08:15 +0100 Subject: [PATCH] gnu: services: Add endlessh. * gnu/services/ssh.scm (endlessh): New variable. --- gnu/services/ssh.scm | 74 +++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 73 insertions(+), 1 deletion(-) diff --git a/gnu/services/ssh.scm b/gnu/services/ssh.scm index d2dbb8f80d..d2729fb059 100644 --- a/gnu/services/ssh.scm +++ b/gnu/services/ssh.scm @@ -45,7 +45,11 @@ dropbear-configuration dropbear-configuration? dropbear-service-type - dropbear-service)) + dropbear-service + + endlessh-configuration + endlessh-configuration? + endlessh-service-type)) ;;; Commentary: ;;; @@ -628,4 +632,72 @@ daemon} with the given @var{config}, a @code{<dropbear-configuration>} object." (service dropbear-service-type config)) + +;;; +;;; Endlessh. +;;; + +(define-record-type* <endlessh-configuration> + endlessh-configuration make-endlessh-configuration + endlessh-configuration? + ;; list of two symbols, allowed values are ipv4, ipv6 or both + (bind-family endlessh-configuration-bind-family (default '(ipv4 ipv6))) + ;; integer + (delay endlessh-configuration-delay (default 10000)) + ;; integer + ;; Must be in the range + (length endlessh-configuration-length (default 32)) + ;; integer + (max-clients endlessh-configuration-max-clients (default 4096)) + ;; integer + (port-number endlessh-configuration-port-number (default 2222)) + ;; integer + ;; Allowed values are 0, 1 and 2 + (log-level endlessh-configuration-log-level (default 0))) + +(define (endlessh-config->conf config) + "Convert the CONFIG of type <endlessh-config> to a config file." + (let* ((family (endlessh-configuration-bind-family config)) + (ipv4 (member 'ipv4 family)) + (ipv6 (member 'ipv6 family)) + (port (endlessh-configuration-port-number config)) + (delay (endlessh-configuration-delay config)) + (length (endlessh-configuration-length config)) + (log-level (endlessh-configuration-log-level config)) + (max-clients (endlessh-configuration-max-clients config)) + (bind + ;; check if both are true (0), or only one of them is present + (if (not (and (equal? ipv4 ipv6) ipv4)) + (if ipv4 4 + (if ipv6 6 + (throw 'endlessh-error + "bind-family must contain at least one value"))) + 0))) + (mixed-text-file "endlessh.conf" + "# Generated by 'endlessh-config'.\n\n" + "Port " (number->string port) "\n" + "Delay " (number->string delay) "\n" + "MaxLineLength " (number->string length) "\n" + "MaxClients " (number->string max-clients) "\n" + "LogLevel " (number->string log-level) "\n" + "BindFamily " (number->string bind) "\n"))) + +(define (endlessh-shepherd-service config) + (shepherd-service + (documentation "Run endlessh tarpit server.") + (provision '(endlessh)) + (start #~(make-forkexec-constructor + (list #$(file-append endlessh "/bin/endlessh") + "-f" #$(endlessh-config->conf config)))) + (stop #~(make-kill-destructor)))) + +(define endlessh-service-type + (service-type + (name 'endlessh) + (description "Run endlessh tarpit server.") + (extensions + (list (service-extension shepherd-root-service-type + (compose list endlessh-shepherd-service)))) + (default-value (endlessh-configuration)))) + ;;; ssh.scm ends here -- 2.24.1