Suggestion for OpenSSH developers

raf ssh at raf.org
Fri Apr 23 08:31:26 AEST 2021


On Thu, Apr 22, 2021 at 04:38:38AM +0100, Howard Chu <hyc at symas.com> wrote:

> Nico Kadel-Garcia wrote:
> > On Wed, Apr 21, 2021 at 8:57 PM Gregory Seidman
> > <gsslist+ssh at anthropohedron.net> wrote:
> >>
> >> Adding this functionality to OpenSSH sounds like the wrong approach. If you
> >> want this I recommend running endlessh on a different port (it even
> >> defaults to 2222) and using your system's firewall configuration (iptables,
> >> pfsense, whatever) to redirect SSH traffic from whatever IP address (range)
> >> to the endlessh port.
> > 
> > Put your SSH on a different port to avoid scanning, and leave this to
> > clutter incoming attacks on port 22? Sounds like a technology project
> > in need of a compelling use.
> > 
> >> Even better, fail2ban already exists to automatically detect hostile IP
> >> addresses and contain them, and allows arbitrary iptables rules to as the
> >> ban action. Instead of simply dropping packets from the hostile IP
> >> addresses you can trap them with endlessh.
> > 
> > This does seem like the cleaner approach, with a well known and robust tool.
> 
> It's certainly simpler to just set an iptables rule to drop the incoming
> packets. The remote side's TCP will wait however long before timing out
> on the connection attempt, with no further work needed.

But a script to create the iptables rules based on the
contents of /etc/hosts.allow or sshd_config's
AllowUsers directives goes a long way to automating it.
It's a little extra work but only once.

cheers,
raf



More information about the openssh-unix-dev mailing list