Nico Kadel-Garcia wrote: > On Wed, Apr 21, 2021 at 8:57 PM Gregory Seidman > <gsslist+ssh@xxxxxxxxxxxxxxxxxx> wrote: >> >> Adding this functionality to OpenSSH sounds like the wrong approach. If you >> want this I recommend running endlessh on a different port (it even >> defaults to 2222) and using your system's firewall configuration (iptables, >> pfsense, whatever) to redirect SSH traffic from whatever IP address (range) >> to the endlessh port. > > Put your SSH on a different port to avoid scanning, and leave this to > clutter incoming attacks on port 22? Sounds like a technology project > in need of a compelling use. > >> Even better, fail2ban already exists to automatically detect hostile IP >> addresses and contain them, and allows arbitrary iptables rules to as the >> ban action. Instead of simply dropping packets from the hostile IP >> addresses you can trap them with endlessh. > > This does seem like the cleaner approach, with a well known and robust tool. It's certainly simpler to just set an iptables rule to drop the incoming packets. The remote side's TCP will wait however long before timing out on the connection attempt, with no further work needed. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/ _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
