[k33n]

The tarpit approach is a double-edged sword. Sure, you're keeping some script kiddie's machine locked up (maybe), but you're also keeping socket connections open and wasting resources on the machine they are targeting. A much more efficient approach is using fail2ban and a firewall to just drop traffic from offenders.

[mtlynch]

Tarpits aren't really a defense mechanism. They're meant to waste attackers' time and study their techniques, making attacks more expensive.

It's sort of like those YouTube channels where they waste phone scammers' time in an entertaining way. [0] Obviously, the easiest thing for the callee to do is hang up the phone, but their goal is to make phone scams less profitable.

[0] https://en.wikipedia.org/wiki/Jim_Browning_(YouTuber)

[a1369209993]

> where they waste phone scammers' time in an entertaining way.

This can also be automated, so the defender doesn't even need to waste their own time on it. Eg: https://old.reddit.com/r/itslenny/ .

[spc476]

Depends upon how you are doing the tarpitting. Back when I did this (15 years ago) I used a program that created a raw socket to handle all TCP traffic that just responded with 0-byte sized windows to all TCP packets (so overhead was minimal). I placed this software on a dedicated server (an old box that wasn't being used otherwise) and routed all our unused IP space to this system. It could keep thousands of connections "live" with minimal resources.

[prussian]

You could also do a combined approach with the tarpit + fail2ban parser that could just ban people stuck for longer than x amount of seconds.

[golem14]

In my experience, fail2ban does only help if there is a small number of IP addresses requests come from. I usually observed a trickle of requests from huge number of IP addresses, at most 1-2 request from each IP over the course of days.

tarpit will likely hurt yourself as the system ties up sockets for a long time and you'll run out eventually. You'd have to combine the tarpit with something to limit the number of connections you accept.

IMO, setting up ssh on another port has been useful, especially combined with port knocking. And of course turning off password auth.