Suggestion for OpenSSH developers

Howard Chu hyc at
Thu Apr 22 13:38:38 AEST 2021

Nico Kadel-Garcia wrote:
> On Wed, Apr 21, 2021 at 8:57 PM Gregory Seidman
> <gsslist+ssh at> wrote:
>> Adding this functionality to OpenSSH sounds like the wrong approach. If you
>> want this I recommend running endlessh on a different port (it even
>> defaults to 2222) and using your system's firewall configuration (iptables,
>> pfsense, whatever) to redirect SSH traffic from whatever IP address (range)
>> to the endlessh port.
> Put your SSH on a different port to avoid scanning, and leave this to
> clutter incoming attacks on port 22? Sounds like a technology project
> in need of a compelling use.
>> Even better, fail2ban already exists to automatically detect hostile IP
>> addresses and contain them, and allows arbitrary iptables rules to as the
>> ban action. Instead of simply dropping packets from the hostile IP
>> addresses you can trap them with endlessh.
> This does seem like the cleaner approach, with a well known and robust tool.

It's certainly simpler to just set an iptables rule to drop the incoming
packets. The remote side's TCP will wait however long before timing out
on the connection attempt, with no further work needed.

  -- Howard Chu
  CTO, Symas Corp. 
  Director, Highland Sun
  Chief Architect, OpenLDAP

More information about the openssh-unix-dev mailing list