Suggestion for OpenSSH developers
Howard Chu
hyc at symas.com
Thu Apr 22 13:38:38 AEST 2021
Nico Kadel-Garcia wrote:
> On Wed, Apr 21, 2021 at 8:57 PM Gregory Seidman
> <gsslist+ssh at anthropohedron.net> wrote:
>>
>> Adding this functionality to OpenSSH sounds like the wrong approach. If you
>> want this I recommend running endlessh on a different port (it even
>> defaults to 2222) and using your system's firewall configuration (iptables,
>> pfsense, whatever) to redirect SSH traffic from whatever IP address (range)
>> to the endlessh port.
>
> Put your SSH on a different port to avoid scanning, and leave this to
> clutter incoming attacks on port 22? Sounds like a technology project
> in need of a compelling use.
>
>> Even better, fail2ban already exists to automatically detect hostile IP
>> addresses and contain them, and allows arbitrary iptables rules to as the
>> ban action. Instead of simply dropping packets from the hostile IP
>> addresses you can trap them with endlessh.
>
> This does seem like the cleaner approach, with a well known and robust tool.
It's certainly simpler to just set an iptables rule to drop the incoming
packets. The remote side's TCP will wait however long before timing out
on the connection attempt, with no further work needed.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
More information about the openssh-unix-dev
mailing list