Suggestion for OpenSSH developers
gsslist+ssh at anthropohedron.net
Thu Apr 22 10:53:51 AEST 2021
Adding this functionality to OpenSSH sounds like the wrong approach. If you
want this I recommend running endlessh on a different port (it even
defaults to 2222) and using your system's firewall configuration (iptables,
pfsense, whatever) to redirect SSH traffic from whatever IP address (range)
to the endlessh port.
Even better, fail2ban already exists to automatically detect hostile IP
addresses and contain them, and allows arbitrary iptables rules to as the
ban action. Instead of simply dropping packets from the hostile IP
addresses you can trap them with endlessh.
I encourage you to try out this approach and, if successful, post about it
and send the link to this list. I appreciate hearing about endlessh,
however, since I was previously unaware of it. Here's a decent rundown for
those who were also previously unaware:
On Wed, Apr 21, 2021 at 03:28:19PM -0600, Luveh Keraph wrote:
> I recently stumbled upon something called endlessh. This is, in essence, a
> very small server that keeps SSH clients engaged, possibly for a long time,
> by sending unlimited amounts of junk, at reasonable time intervals, in lieu
> of the SSH identification string on receiving an SSH connection request.
> I was wondering whether this is a capability that guys would consider
> adding to OpenSSH as a new launch-time option? Together with a feature that
> would enable the OpenSSH daemon to select what clients (IP addresses
> families or sets of names) the capability would (or would not) apply to,
> this might come in handy when it comes to deterring script kiddies.
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
More information about the openssh-unix-dev