DEV.co
Open-Source Observability · shizunge

endlessh-go

endlessh-go is a Go-based SSH tarpit that traps brute-force attackers by accepting connections and sending slow, endless SSH banner data. It exports Prometheus metrics and includes a Grafana dashboard to visualize attack patterns, geolocation data, and traffic statistics.

Source: GitHub — github.com/shizunge/endlessh-go
1.3k
GitHub stars
44
Forks
Go
Primary language
GPL-3.0
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositoryshizunge/endlessh-go
Ownershizunge
Primary languageGo
LicenseGPL-3.0 — OSI-approved
Stars1.3k
Forks44
Open issues21
Latest release2026.0328.0 (2026-03-29)
Last updated2026-07-06
Sourcehttps://github.com/shizunge/endlessh-go

What endlessh-go is

A Go rewrite of the C-based endlessh that listens for SSH connections and deliberately delays responses to waste attacker time. It exposes Prometheus metrics (connections, bytes sent, trap duration) with optional GeoIP enrichment via ip-api or MaxMind, and ships with a pre-built Grafana 8.2+ dashboard for real-time visualization.

Quickstart

Get the endlessh-go source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/shizunge/endlessh-go.gitcd endlessh-go# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

SSH Honeypot & Attack Intelligence

Trap SSH brute-force attackers on a dedicated port while collecting connection metadata, geolocation, and timing data for security analysis and threat trend monitoring.

Network Security Posture Monitoring

Integrate with existing Prometheus/Grafana stacks to visualize attack sources, volumes, and patterns in real-time dashboards without additional log parsing or ETL.

Cost-Effective DDoS Mitigation

Deploy as a low-resource tarpit (~10 MB memory) to exhaust attacker time and bandwidth on a decoy service while keeping production SSH ports protected.

Implementation considerations

  • Run on a non-standard SSH port (default 2222) to avoid interfering with production SSH access; consider firewall rules to limit tarpit exposure.
  • Configure Prometheus scrape interval and metric retention policy; enable `-prometheus_clean_unseen_seconds` to prevent unbounded cardinality from one-off attacker IPs.
  • Choose GeoIP supplier wisely: ip-api is free but rate-limited and restricts commercial use; MaxMind DB requires licensing but works offline.
  • Monitor resource usage (memory ~10 MB, CPU scales with connection count); set `-max_clients` appropriately for your deployment context.
  • Ensure Grafana and Prometheus have sufficient retention and query performance for sustained attack volume before production deployment.

When to avoid it — and what to weigh

  • No Monitoring Infrastructure — Requires Prometheus + Grafana stack for full value. Text-log-only environments should use the original C endlessh or add wrapper scripts—this Go version is metrics-first.
  • Strict Air-Gapped or Offline Networks — GeoIP enrichment via ip-api requires external API calls; MaxMind DB mitigates this but adds offline dependency. Not suitable for isolated networks without external data sources.
  • High-Volume Attack Scenarios Requiring Custom Logic — While configurable, endlessh-go is purpose-built for SSH tarpit behavior. Custom attack response logic or non-SSH protocols require external extensions or alternative tools.
  • GPL v3 Incompatible Deployments — GPL v3 license requires derivative works and distribution scenarios to release modifications. Proprietary closed-source integrations may face compliance restrictions.

License & commercial use

GNU General Public License v3.0 (GPL-3.0). This is a copyleft license requiring that derivative works and distributed modifications also be released under GPL-3.0.

GPL-3.0 allows commercial use of the software itself, but if you modify, extend, or redistribute endlessh-go, you must release those modifications under GPL-3.0. Using the unmodified binary in a commercial environment is permissible. However, any custom extensions (e.g., proprietary attack response logic compiled into the binary) require GPL-3.0 compliance or separate licensing. Additionally, GeoIP enrichment via ip-api includes its own commercial use restrictions (ip-api terms prohibit some commercial use without a paid plan)—review their policy independently.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationAdequate
License clarityClear
Deployment complexityModerate
DEV.co fitGood
Assessment confidenceHigh
Security considerations

endlessh-go is a defensive security tool designed to waste attacker resources. Key considerations: (1) Deploy on isolated or non-standard port to avoid service collision. (2) GeoIP via ip-api sends attacker IP addresses to external service—data privacy implications should be assessed. (3) No built-in authentication on metrics endpoint (:2112/metrics)—restrict network access via firewall or reverse proxy. (4) Memory usage scales with concurrent connections; abuse could cause resource exhaustion. (5) Go binary is inherently memory-safe, reducing injection/overflow risks. (6) Prometheus metrics do not anonymize IP addresses; ensure dashboard access is restricted. No formal security audit data available.

Alternatives to consider

Original Endlessh (C)

Minimal resource footprint, battle-tested, but no native metrics export; requires log parsing scripts and external dashboarding. Choose if Prometheus integration is not required.

Cowrie (Python SSH Honeypot)

Feature-rich interactive SSH honeypot with session logging, file capture, and plugin ecosystem. Choose if you need detailed attack simulation and forensic analysis beyond tarpit functionality.

Fail2ban + iptables rules

Lightweight rate-limiting and blocking; no tarpit overhead. Choose for simple brute-force prevention without needing attack intelligence collection or visualization.

Software development agency

Build on endlessh-go with DEV.co software developers

Contact us to assess integration with your Prometheus/Grafana monitoring, plan firewall isolation, and configure GeoIP enrichment for real-time SSH attack visibility.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

endlessh-go FAQ

Does endlessh-go block SSH brute-force attacks?
No—it traps attackers by accepting connections and wasting their time with slow SSH banner responses. Production SSH ports must be protected separately via firewall rules, fail2ban, or port shielding. Deploy endlessh-go on a decoy port to collect intelligence.
Can I use this without Prometheus/Grafana?
Yes, but with limited value. Without `-enable_prometheus`, endlessh-go functions as a basic tarpit. Metrics are the primary feature; without them, consider the original C endlessh or add external log parsing.
What is the GeoIP privacy concern?
If you enable `-geoip_supplier ip-api`, attacker IP addresses are sent to ip-api.com's servers. For privacy-sensitive deployments, use `-geoip_supplier max-mind-db` with an offline MaxMind database instead.
How do I deploy this in production with existing monitoring?
Run the Docker image on a non-standard port, add a Prometheus scrape job pointing to :2112/metrics, and import Grafana dashboard ID 15156. Ensure firewall rules isolate the tarpit from production SSH (port 22).

Software developers & web developers for hire

From first prototype to production, DEV.co delivers software development services around tools like endlessh-go. Our software development agency staffs experienced software developers and web developers for custom software development, web development, integrations, and ongoing support across open-source observability and beyond.

Evaluate endlessh-go for Your Security Stack

Contact us to assess integration with your Prometheus/Grafana monitoring, plan firewall isolation, and configure GeoIP enrichment for real-time SSH attack visibility.