Re: Suggestion for OpenSSH developers

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



Nico Kadel-Garcia wrote:
> On Wed, Apr 21, 2021 at 8:57 PM Gregory Seidman
> <gsslist+ssh@xxxxxxxxxxxxxxxxxx> wrote:
>>
>> Adding this functionality to OpenSSH sounds like the wrong approach. If you
>> want this I recommend running endlessh on a different port (it even
>> defaults to 2222) and using your system's firewall configuration (iptables,
>> pfsense, whatever) to redirect SSH traffic from whatever IP address (range)
>> to the endlessh port.
> 
> Put your SSH on a different port to avoid scanning, and leave this to
> clutter incoming attacks on port 22? Sounds like a technology project
> in need of a compelling use.
> 
>> Even better, fail2ban already exists to automatically detect hostile IP
>> addresses and contain them, and allows arbitrary iptables rules to as the
>> ban action. Instead of simply dropping packets from the hostile IP
>> addresses you can trap them with endlessh.
> 
> This does seem like the cleaner approach, with a well known and robust tool.

It's certainly simpler to just set an iptables rule to drop the incoming
packets. The remote side's TCP will wait however long before timing out
on the connection attempt, with no further work needed.

-- 
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux