Adding this functionality to OpenSSH sounds like the wrong approach. If you want this I recommend running endlessh on a different port (it even defaults to 2222) and using your system's firewall configuration (iptables, pfsense, whatever) to redirect SSH traffic from whatever IP address (range) to the endlessh port. Even better, fail2ban already exists to automatically detect hostile IP addresses and contain them, and allows arbitrary iptables rules to as the ban action. Instead of simply dropping packets from the hostile IP addresses you can trap them with endlessh. I encourage you to try out this approach and, if successful, post about it and send the link to this list. I appreciate hearing about endlessh, however, since I was previously unaware of it. Here's a decent rundown for those who were also previously unaware: https://nullprogram.com/blog/2019/03/22/ --Gregory On Wed, Apr 21, 2021 at 03:28:19PM -0600, Luveh Keraph wrote: > I recently stumbled upon something called endlessh. This is, in essence, a > very small server that keeps SSH clients engaged, possibly for a long time, > by sending unlimited amounts of junk, at reasonable time intervals, in lieu > of the SSH identification string on receiving an SSH connection request. > > I was wondering whether this is a capability that guys would consider > adding to OpenSSH as a new launch-time option? Together with a feature that > would enable the OpenSSH daemon to select what clients (IP addresses > families or sets of names) the capability would (or would not) apply to, > this might come in handy when it comes to deterring script kiddies. > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev@xxxxxxxxxxx > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
