endlessh-go
endlessh-go is a Go-based SSH tarpit that traps brute-force attackers by accepting connections and sending slow, endless SSH banner data. It exports Prometheus metrics and includes a Grafana dashboard to visualize attack patterns, geolocation data, and traffic statistics.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | shizunge/endlessh-go |
| Owner | shizunge |
| Primary language | Go |
| License | GPL-3.0 — OSI-approved |
| Stars | 1.3k |
| Forks | 44 |
| Open issues | 21 |
| Latest release | 2026.0328.0 (2026-03-29) |
| Last updated | 2026-07-06 |
| Source | https://github.com/shizunge/endlessh-go |
What endlessh-go is
A Go rewrite of the C-based endlessh that listens for SSH connections and deliberately delays responses to waste attacker time. It exposes Prometheus metrics (connections, bytes sent, trap duration) with optional GeoIP enrichment via ip-api or MaxMind, and ships with a pre-built Grafana 8.2+ dashboard for real-time visualization.
Get the endlessh-go source
Clone the repository and explore it locally.
git clone https://github.com/shizunge/endlessh-go.gitcd endlessh-go# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Run on a non-standard SSH port (default 2222) to avoid interfering with production SSH access; consider firewall rules to limit tarpit exposure.
- Configure Prometheus scrape interval and metric retention policy; enable `-prometheus_clean_unseen_seconds` to prevent unbounded cardinality from one-off attacker IPs.
- Choose GeoIP supplier wisely: ip-api is free but rate-limited and restricts commercial use; MaxMind DB requires licensing but works offline.
- Monitor resource usage (memory ~10 MB, CPU scales with connection count); set `-max_clients` appropriately for your deployment context.
- Ensure Grafana and Prometheus have sufficient retention and query performance for sustained attack volume before production deployment.
When to avoid it — and what to weigh
- No Monitoring Infrastructure — Requires Prometheus + Grafana stack for full value. Text-log-only environments should use the original C endlessh or add wrapper scripts—this Go version is metrics-first.
- Strict Air-Gapped or Offline Networks — GeoIP enrichment via ip-api requires external API calls; MaxMind DB mitigates this but adds offline dependency. Not suitable for isolated networks without external data sources.
- High-Volume Attack Scenarios Requiring Custom Logic — While configurable, endlessh-go is purpose-built for SSH tarpit behavior. Custom attack response logic or non-SSH protocols require external extensions or alternative tools.
- GPL v3 Incompatible Deployments — GPL v3 license requires derivative works and distribution scenarios to release modifications. Proprietary closed-source integrations may face compliance restrictions.
License & commercial use
GNU General Public License v3.0 (GPL-3.0). This is a copyleft license requiring that derivative works and distributed modifications also be released under GPL-3.0.
GPL-3.0 allows commercial use of the software itself, but if you modify, extend, or redistribute endlessh-go, you must release those modifications under GPL-3.0. Using the unmodified binary in a commercial environment is permissible. However, any custom extensions (e.g., proprietary attack response logic compiled into the binary) require GPL-3.0 compliance or separate licensing. Additionally, GeoIP enrichment via ip-api includes its own commercial use restrictions (ip-api terms prohibit some commercial use without a paid plan)—review their policy independently.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Adequate |
| License clarity | Clear |
| Deployment complexity | Moderate |
| DEV.co fit | Good |
| Assessment confidence | High |
endlessh-go is a defensive security tool designed to waste attacker resources. Key considerations: (1) Deploy on isolated or non-standard port to avoid service collision. (2) GeoIP via ip-api sends attacker IP addresses to external service—data privacy implications should be assessed. (3) No built-in authentication on metrics endpoint (:2112/metrics)—restrict network access via firewall or reverse proxy. (4) Memory usage scales with concurrent connections; abuse could cause resource exhaustion. (5) Go binary is inherently memory-safe, reducing injection/overflow risks. (6) Prometheus metrics do not anonymize IP addresses; ensure dashboard access is restricted. No formal security audit data available.
Alternatives to consider
Original Endlessh (C)
Minimal resource footprint, battle-tested, but no native metrics export; requires log parsing scripts and external dashboarding. Choose if Prometheus integration is not required.
Cowrie (Python SSH Honeypot)
Feature-rich interactive SSH honeypot with session logging, file capture, and plugin ecosystem. Choose if you need detailed attack simulation and forensic analysis beyond tarpit functionality.
Fail2ban + iptables rules
Lightweight rate-limiting and blocking; no tarpit overhead. Choose for simple brute-force prevention without needing attack intelligence collection or visualization.
Build on endlessh-go with DEV.co software developers
Contact us to assess integration with your Prometheus/Grafana monitoring, plan firewall isolation, and configure GeoIP enrichment for real-time SSH attack visibility.
Talk to DEV.coRelated on DEV.co
Explore the category and the services that help you build with it.
endlessh-go FAQ
Does endlessh-go block SSH brute-force attacks?
Can I use this without Prometheus/Grafana?
What is the GeoIP privacy concern?
How do I deploy this in production with existing monitoring?
Software developers & web developers for hire
From first prototype to production, DEV.co delivers software development services around tools like endlessh-go. Our software development agency staffs experienced software developers and web developers for custom software development, web development, integrations, and ongoing support across open-source observability and beyond.
Evaluate endlessh-go for Your Security Stack
Contact us to assess integration with your Prometheus/Grafana monitoring, plan firewall isolation, and configure GeoIP enrichment for real-time SSH attack visibility.