Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. OpenSSH>
  3. Dev
Suggestion for OpenSSH developers
1.41421 at gmail
Apr 21, 2021, 2:28 PM
Post #1 of 5 (469 views)
Permalink
I recently stumbled upon something called endlessh. This is, in essence, a
very small server that keeps SSH clients engaged, possibly for a long time,
by sending unlimited amounts of junk, at reasonable time intervals, in lieu
of the SSH identification string on receiving an SSH connection request.

I was wondering whether this is a capability that guys would consider
adding to OpenSSH as a new launch-time option? Together with a feature that
would enable the OpenSSH daemon to select what clients (IP addresses
families or sets of names) the capability would (or would not) apply to,
this might come in handy when it comes to deterring script kiddies.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Suggestion for OpenSSH developers [ In reply to ]
gsslist+ssh at anthropohedron
Apr 21, 2021, 5:53 PM
Post #2 of 5 (469 views)
Permalink
Adding this functionality to OpenSSH sounds like the wrong approach. If you
want this I recommend running endlessh on a different port (it even
defaults to 2222) and using your system's firewall configuration (iptables,
pfsense, whatever) to redirect SSH traffic from whatever IP address (range)
to the endlessh port.

Even better, fail2ban already exists to automatically detect hostile IP
addresses and contain them, and allows arbitrary iptables rules to as the
ban action. Instead of simply dropping packets from the hostile IP
addresses you can trap them with endlessh.

I encourage you to try out this approach and, if successful, post about it
and send the link to this list. I appreciate hearing about endlessh,
however, since I was previously unaware of it. Here's a decent rundown for
those who were also previously unaware:
https://nullprogram.com/blog/2019/03/22/

--Gregory

On Wed, Apr 21, 2021 at 03:28:19PM -0600, Luveh Keraph wrote:
> I recently stumbled upon something called endlessh. This is, in essence, a
> very small server that keeps SSH clients engaged, possibly for a long time,
> by sending unlimited amounts of junk, at reasonable time intervals, in lieu
> of the SSH identification string on receiving an SSH connection request.
>
> I was wondering whether this is a capability that guys would consider
> adding to OpenSSH as a new launch-time option? Together with a feature that
> would enable the OpenSSH daemon to select what clients (IP addresses
> families or sets of names) the capability would (or would not) apply to,
> this might come in handy when it comes to deterring script kiddies.
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev@mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Suggestion for OpenSSH developers [ In reply to ]
nkadel at gmail
Apr 21, 2021, 8:21 PM
Post #3 of 5 (469 views)
Permalink
On Wed, Apr 21, 2021 at 8:57 PM Gregory Seidman
<gsslist+ssh@anthropohedron.net> wrote:
>
> Adding this functionality to OpenSSH sounds like the wrong approach. If you
> want this I recommend running endlessh on a different port (it even
> defaults to 2222) and using your system's firewall configuration (iptables,
> pfsense, whatever) to redirect SSH traffic from whatever IP address (range)
> to the endlessh port.

Put your SSH on a different port to avoid scanning, and leave this to
clutter incoming attacks on port 22? Sounds like a technology project
in need of a compelling use.

> Even better, fail2ban already exists to automatically detect hostile IP
> addresses and contain them, and allows arbitrary iptables rules to as the
> ban action. Instead of simply dropping packets from the hostile IP
> addresses you can trap them with endlessh.

This does seem like the cleaner approach, with a well known and robust tool.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Suggestion for OpenSSH developers [ In reply to ]
hyc at symas
Apr 21, 2021, 8:38 PM
Post #4 of 5 (469 views)
Permalink
Nico Kadel-Garcia wrote:
> On Wed, Apr 21, 2021 at 8:57 PM Gregory Seidman
> <gsslist+ssh@anthropohedron.net> wrote:
>>
>> Adding this functionality to OpenSSH sounds like the wrong approach. If you
>> want this I recommend running endlessh on a different port (it even
>> defaults to 2222) and using your system's firewall configuration (iptables,
>> pfsense, whatever) to redirect SSH traffic from whatever IP address (range)
>> to the endlessh port.
>
> Put your SSH on a different port to avoid scanning, and leave this to
> clutter incoming attacks on port 22? Sounds like a technology project
> in need of a compelling use.
>
>> Even better, fail2ban already exists to automatically detect hostile IP
>> addresses and contain them, and allows arbitrary iptables rules to as the
>> ban action. Instead of simply dropping packets from the hostile IP
>> addresses you can trap them with endlessh.
>
> This does seem like the cleaner approach, with a well known and robust tool.

It's certainly simpler to just set an iptables rule to drop the incoming
packets. The remote side's TCP will wait however long before timing out
on the connection attempt, with no further work needed.

--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Suggestion for OpenSSH developers [ In reply to ]
ssh at raf
Apr 22, 2021, 3:31 PM
Post #5 of 5 (469 views)
Permalink
On Thu, Apr 22, 2021 at 04:38:38AM +0100, Howard Chu <hyc@symas.com> wrote:

> Nico Kadel-Garcia wrote:
> > On Wed, Apr 21, 2021 at 8:57 PM Gregory Seidman
> > <gsslist+ssh@anthropohedron.net> wrote:
> >>
> >> Adding this functionality to OpenSSH sounds like the wrong approach. If you
> >> want this I recommend running endlessh on a different port (it even
> >> defaults to 2222) and using your system's firewall configuration (iptables,
> >> pfsense, whatever) to redirect SSH traffic from whatever IP address (range)
> >> to the endlessh port.
> >
> > Put your SSH on a different port to avoid scanning, and leave this to
> > clutter incoming attacks on port 22? Sounds like a technology project
> > in need of a compelling use.
> >
> >> Even better, fail2ban already exists to automatically detect hostile IP
> >> addresses and contain them, and allows arbitrary iptables rules to as the
> >> ban action. Instead of simply dropping packets from the hostile IP
> >> addresses you can trap them with endlessh.
> >
> > This does seem like the cleaner approach, with a well known and robust tool.
>
> It's certainly simpler to just set an iptables rule to drop the incoming
> packets. The remote side's TCP will wait however long before timing out
> on the connection attempt, with no further work needed.

But a script to create the iptables rules based on the
contents of /etc/hosts.allow or sshd_config's
AllowUsers directives goes a long way to automating it.
It's a little extra work but only once.

cheers,
raf

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal