Suggestion for OpenSSH developers
nkadel at gmail.com
Thu Apr 22 13:21:44 AEST 2021
On Wed, Apr 21, 2021 at 8:57 PM Gregory Seidman
<gsslist+ssh at anthropohedron.net> wrote:
> Adding this functionality to OpenSSH sounds like the wrong approach. If you
> want this I recommend running endlessh on a different port (it even
> defaults to 2222) and using your system's firewall configuration (iptables,
> pfsense, whatever) to redirect SSH traffic from whatever IP address (range)
> to the endlessh port.
Put your SSH on a different port to avoid scanning, and leave this to
clutter incoming attacks on port 22? Sounds like a technology project
in need of a compelling use.
> Even better, fail2ban already exists to automatically detect hostile IP
> addresses and contain them, and allows arbitrary iptables rules to as the
> ban action. Instead of simply dropping packets from the hostile IP
> addresses you can trap them with endlessh.
This does seem like the cleaner approach, with a well known and robust tool.
More information about the openssh-unix-dev