SSH Tarpit

I use Cloudflare for my public web ingress tunneling and Tailscale for my private services, and between these two I don't actually need to have any ports open on my machines. I do still leave my SSH server open on a non-standard port (key auth only) just in case something happens to the Tailscale connection. This leaves port 22 - what do you do with that? Just leave it closed? No, you stick a tarpit on it so you can waste some spammer's time.

The Tarpit

I use the docker container from this repository, which takes the original idea from EndleSSH and adds some more features. Namely, this one geolocates attackers by IP and exports everything to Prometheus. It also packages everything up in a handy Docker container.

This page uses the stats collected by my Prometheus instance. It was last updated on .

The Data

I've had this exporter running for about a year now. Let's see how much time we've wasted.

It turns out we have, on average, a little over one concurrent connection at any given time. In the last year we wasted hours - times the number of hours in a year.

While we typically hover around 1 concurrent connection at any point, there have been some very busy days. You can see a huge spike caused by one moment on 11/24 where we briefly had over 200 simultaneous connections. Here's a version of the plot without the 99th percentile:

There seems to have been a lull through this past fall (October, mainly). I also expected much more of a spike over the summer after the xz vulnerability.

The Attackers

So who's trying to connect? And where are they?

An Aside

Is it fair to categorize anyone trying to connect to port 22 as an attacker? After all, I'm the one who made the port publicly available. Maybe someone mistyped their own IP address, or a client is misconfigured, or maybe internet researchers are trying to connect to collect data.

Well, I'm taking the unfair leap that anyone who gets stuck in this tarpit ten times or more is either an attacker or has a similar enough effect to be categorized as one. If you see your IP on the list below and feel as though you've been miscategorized as an attacker, you can remove yourself from the list by stopping the malicious connections. For more information, see Dr. Neal Krawetz's post about scans vs attacks.

With that hurdle crossed, let's look at the data. Here's the top offending IPs from the last three months, ranked by total number of connections. I also ran a reverse DNS lookup on each to see if they had any associated hostnames.

The Map

Let's go ahead and throw those on a map.

I expect many of these are proxied, and so are more revealing of providers that just aren't as responsive to takedown requests or reports of malicious activity than the locations of actual attackers. Still, it's interesting to see where the hotspots are.

Aggregated

We can also break down the stats by country or domain to see just how egregious some are.