Some time ago I made a proposal to add a mechanism that would allow a hook to be executed whenever an unsuccessful login attempt was made: https://bugzilla.mindrot.org/show_bug.cgi?id=3384. The idea was to manage a blacklist to lock out hosts that repeatedly attempted to login by trying common passwords. Unfortunately, I could not get much attention and gave up on it. Thomas Am 18.10.23 um 19:13 schrieb Chris Rapier:> Hey all, > > So I do some development based on openssh and I'm trying to think of > some new projects that might extend the functionality, feature set, user > workflow, performance, etc of ssh. > > So open ended question: > > Do any of you have a wish list of things you'd like to see in ssh? > > > Mostly I'm just curious to see what the larger community is thinking of > rather than being driven entirely by what I think is cool. > > > Chris > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
That's a good idea but I think fail2ban might be a better solution to this than extending the application itself. The main issue being that maintaining and managing a blocklist like that within ssh might be cumbersome in large organizations. On 10/18/23 1:42 PM, Thomas K?ller wrote:> Some time ago I made a proposal to add a mechanism that would allow a > hook to be executed whenever an unsuccessful login attempt was made: > https://bugzilla.mindrot.org/show_bug.cgi?id=3384. > > The idea was to manage a blacklist to lock out hosts that repeatedly > attempted to login by trying common passwords. Unfortunately, I could > not get much attention and gave up on it. > > Thomas > > Am 18.10.23 um 19:13 schrieb Chris Rapier: >> Hey all, >> >> So I do some development based on openssh and I'm trying to think of >> some new projects that might extend the functionality, feature set, >> user workflow, performance, etc of ssh. >> >> So open ended question: >> >> Do any of you have a wish list of things you'd like to see in ssh? >> >> >> Mostly I'm just curious to see what the larger community is thinking >> of rather than being driven entirely by what I think is cool. >> >> >> Chris >> _______________________________________________ >> openssh-unix-dev mailing list >> openssh-unix-dev at mindrot.org >> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
yeah, sounds nice, but doesn't sshguard & fail2ban already read the needed from the log files?> On 18 Oct 2023, at 19:42, Thomas K?ller <thomas at koeller.dyndns.org> wrote: > > Some time ago I made a proposal to add a mechanism that would allow a hook to be executed whenever an unsuccessful login attempt was made: https://bugzilla.mindrot.org/show_bug.cgi?id=3384. > > The idea was to manage a blacklist to lock out hosts that repeatedly attempted to login by trying common passwords. Unfortunately, I could not get much attention and gave up on it. > > Thomas > > Am 18.10.23 um 19:13 schrieb Chris Rapier: >> Hey all, >> So I do some development based on openssh and I'm trying to think of some new projects that might extend the functionality, feature set, user workflow, performance, etc of ssh. >> So open ended question: >> Do any of you have a wish list of things you'd like to see in ssh? >> Mostly I'm just curious to see what the larger community is thinking of rather than being driven entirely by what I think is cool. >> Chris >> _______________________________________________ >> openssh-unix-dev mailing list >> openssh-unix-dev at mindrot.org >> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev