Luveh Keraph
2021-May-30 15:32 UTC
[SUSPECTED SPAM] Filtering incoming connections on the basis of the ID string
I would be interested to filter incoming connections depending on the exact nature of the ID string supplied by the customer. RFC 4253 specifies that that ID string should conform to the following structure: SSH-protoversion-softwareversion SP comments CR LF I would like to be able to selectively allow incoming connections to proceed (or terminate them there and then) when the value of softwareversion (or even comments) matches some predetermined pattern. Is this something that OpenSSH servers can do?
Damien Miller
2021-May-31 01:07 UTC
[SUSPECTED SPAM] Filtering incoming connections on the basis of the ID string
On Sun, 30 May 2021, Luveh Keraph wrote:> I would be interested to filter incoming connections depending on the exact > nature of the ID string supplied by the customer. RFC 4253 specifies that > that ID string should conform to the following structure: > > SSH-protoversion-softwareversion SP comments CR LF > > I would like to be able to selectively allow incoming connections to > proceed (or terminate them there and then) when the value of > softwareversion (or even comments) matches some predetermined pattern. Is > this something that OpenSSH servers can do?No, but it probably wouldn't be too hard to implement a "Match clientversion" What would be the purpose of this filtering? If you're considering it to block password guessers, and such filtering becomes popular, then they are highly likely to change their version strings. IMO it's generally better to disallow password authentication, except from trusted sources. -d