Cleaned up some more wordpress issues

content/post/2024-06-24-fun-with-bots-ssh-tarpitting.md

@@ -16,7 +16,7 @@ For those of you who aren’t familiar with the concept of a network tarpit it i
 
 > A **tarpit** is a service on a [computer system](https://en.wikipedia.org/wiki/Computer_system) (usually a [server](https://en.wikipedia.org/wiki/Server_(computing))) that purposely delays incoming connections. The technique was developed as a defense against a [computer worm](https://en.wikipedia.org/wiki/Computer_worm), and the idea is that [network](https://en.wikipedia.org/wiki/Computer_network) abuses such as [spamming](https://en.wikipedia.org/wiki/Spamming) or broad scanning are less effective, and therefore less attractive, if they take too long. The concept is analogous with a [tar pit](https://en.wikipedia.org/wiki/Tar_pit), in which animals can get bogged down and slowly sink under the surface, like in a [swamp](https://en.wikipedia.org/wiki/Swamp).
 > 
-> <cite>[https://en.wikipedia.org/wiki/Tarpit\_(networking)](https://en.wikipedia.org/wiki/Tarpit_(networking))</cite>
+> [https://en.wikipedia.org/wiki/Tarpit\_(networking)](https://en.wikipedia.org/wiki/Tarpit_(networking))
 
 If you run any sort of service on the internet then you know as soon as your server has a public IP address and open ports, there are scanners and bots trying to get in constantly. If you take decent steps towards security then it is little more than an annoyance, but annoying all the less. One day when I had some extra time on my hands I started researching ways to mess with the bots trying to scan/attack my site.
 
@@ -34,11 +34,11 @@ It turns out that this problem has been solved multiple times in multiple ways.
 >    wrappers to display an error message before disconnecting.
 > ```
 > 
-> <cite>SSH RFC</cite>
+> SSH RFC
 
 Essentially this means that their is no limit to the amount of data that a server can send back to the client and the client must be able to wait and process all of this data. Now let’s see it in action.
 
-```
+```shell
 git clone https://github.com/skeeto/endlessh.git
 cd endlessh
 make
@@ -47,13 +47,13 @@ make
 
 By default this fake server listens on port 2222. I have a port forward set up that forwards all ssh traffic from port 22 to 2222. Now try to connect via ssh:
 
-```
+```shell
 ssh -vvv localhost -p 2222
 ```
 
 If you wait a few seconds you will see the server send back the version string and then start sending a random banner:
 
-```
+```shell
 $:/tmp/endlessh$ 2024-06-24T13:05:59.488Z Port 2222
 2024-06-24T13:05:59.488Z Delay 10000
 2024-06-24T13:05:59.488Z MaxLineLength 32
@@ -107,15 +107,13 @@ debug1: kex_exchange_identification: banner line 0: V
 2024-06-24T13:06:28.734Z write(4) = 25
 2024-06-24T13:06:28.734Z poll(1, 10000)
 debug1: kex_exchange_identification: banner line 1: 2I=ED}PZ,z T_Y|Yc]$b{R]
-
-
 ```
 
 This is a great way to give back to those bots and script kiddies. In my research into other methods I also stumbled across this brilliant program [fakessh](https://github.com/iBug/fakessh). While fakessh isn’t technically a tarpit, it’s more of a honeypot but very interesting nonetheless. It creates a fake SSH server and logs the ip address, connection string and any commands executed by the attacker. Essentially it allows any username/password combination to connect and gives them a fake shell prompt. There is no actual access to any file system and all of their commands basically return gibberish.
 
 Here are some logs from an actual server of mine running fakessh
 
-```
+```shell
 2024/06/24 06:51:20 [conn] ip=183.81.169.238:40430
 2024/06/24 06:51:22 [auth] ip=183.81.169.238:40430 version="SSH-2.0-Go" user="root" password="0"
 2024/06/24 06:51:23 [conn] ip=183.81.169.238:40444
@@ -228,20 +226,18 @@ Here are some logs from an actual server of mine running fakessh
 2024/06/24 09:03:40 [conn] ip=218.92.0.107:57758 err="ssh: disconnect, reason 11: "
 2024/06/24 09:07:36 [conn] ip=218.92.0.56:21354
 2024/06/24 09:07:39 [conn] ip=218.92.0.56:21354 err="ssh: disconnect, reason 11: "
-
 ```
 
 Those are mostly connections and disconnections. They probably connected, realized it was fake and disconnected. There are a couple that tried to execute some commands though:
 
-```
+```shell
 :~$ sudo grep head /var/log/fakessh/fakessh.log 
 2024/06/23 15:48:02 [shell] ip=184.160.233.163:45735 duration=0s bytes=15 head="ls 2>/dev/null\n"
 2024/06/24 03:55:11 [shell] ip=14.46.116.243:43656 duration=20s bytes=0 head=""
-
 ```
 
 Fun fact: Cloudflare’s Bot Fight Mode uses a form of tarpitting:
 
 > Once enabled, when we detect a bad bot, we will do three things: (1) we’re going to disincentivize the bot maker economically by tarpitting them, including requiring them to solve a computationally intensive challenge that will require more of their bot’s CPU; (2) for [Bandwidth Alliance partners](https://blog.cloudflare.com/bandwidth-alliance/), we’re going to hand the IP of the bot to the partner and get the bot kicked offline; and (3) we’re going to plant trees to make up for the bot’s carbon cost.
 > 
-> <cite><https://blog.cloudflare.com/cleaning-up-bad-bots></cite>
+> <https://blog.cloudflare.com/cleaning-up-bad-bots>