On Thu, Apr 22, 2021 at 04:38:38AM +0100, Howard Chu <hyc@xxxxxxxxx> wrote: > Nico Kadel-Garcia wrote: > > On Wed, Apr 21, 2021 at 8:57 PM Gregory Seidman > > <gsslist+ssh@xxxxxxxxxxxxxxxxxx> wrote: > >> > >> Adding this functionality to OpenSSH sounds like the wrong approach. If you > >> want this I recommend running endlessh on a different port (it even > >> defaults to 2222) and using your system's firewall configuration (iptables, > >> pfsense, whatever) to redirect SSH traffic from whatever IP address (range) > >> to the endlessh port. > > > > Put your SSH on a different port to avoid scanning, and leave this to > > clutter incoming attacks on port 22? Sounds like a technology project > > in need of a compelling use. > > > >> Even better, fail2ban already exists to automatically detect hostile IP > >> addresses and contain them, and allows arbitrary iptables rules to as the > >> ban action. Instead of simply dropping packets from the hostile IP > >> addresses you can trap them with endlessh. > > > > This does seem like the cleaner approach, with a well known and robust tool. > > It's certainly simpler to just set an iptables rule to drop the incoming > packets. The remote side's TCP will wait however long before timing out > on the connection attempt, with no further work needed. But a script to create the iptables rules based on the contents of /etc/hosts.allow or sshd_config's AllowUsers directives goes a long way to automating it. It's a little extra work but only once. cheers, raf _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
