Suggestion for OpenSSH developers

Nico Kadel-Garcia nkadel at
Thu Apr 22 13:21:44 AEST 2021

On Wed, Apr 21, 2021 at 8:57 PM Gregory Seidman
<gsslist+ssh at> wrote:
> Adding this functionality to OpenSSH sounds like the wrong approach. If you
> want this I recommend running endlessh on a different port (it even
> defaults to 2222) and using your system's firewall configuration (iptables,
> pfsense, whatever) to redirect SSH traffic from whatever IP address (range)
> to the endlessh port.

Put your SSH on a different port to avoid scanning, and leave this to
clutter incoming attacks on port 22? Sounds like a technology project
in need of a compelling use.

> Even better, fail2ban already exists to automatically detect hostile IP
> addresses and contain them, and allows arbitrary iptables rules to as the
> ban action. Instead of simply dropping packets from the hostile IP
> addresses you can trap them with endlessh.

This does seem like the cleaner approach, with a well known and robust tool.

More information about the openssh-unix-dev mailing list