I know that TFA acknowledges this but, I think it still needs to be stated that scanning all open TCP ports on a single IP generally takes less than a second.
It'll help you with logs but certainly not provide the same peace of mind that key auth or even post login TOTP provides.
You could presumably still just SYN scan to find the ports and then use proxies to identify the real sshd.
Obviously my approach would be somewhat involved but I'd imagine this would mostly be intended to protect against someone who may already have likely password candidates, rather than just random scanners.
About a decade ago I worked at a small web-hosting company where I installed the LaBrea tarpit software (http://labrea.sourceforge.net/Intro-History.html) on an otherwise unused system and had our routers route all non-allocated IPs to said system. The intent was to use that to track IPs that were attacking (since otherwise, no legitimate traffic would hit that server) and then block them at the router level.
Sadly, source level routing on routers is slow, and even if it wasn't, I wasn't sure how to automatically block said IPs at the router level.
Under a second?! I guess I never tried NMAP on aggressive, but I think that if you take 1ms per port you still get 65535ms which amounts to 65s... I mean, you could probably send all of those at the same time.. under a second?! really is that a feasible amount of time?
If so, I have been using the port scanners wrong [which btw I never use often, as this AFAIK was still frowned upon and even illegal if I'm not mistaken]
Line rate for 1gbps ethernet is over 1 million PPS, so you can definitely send the packets that fast. No promises the target will be able to respond that fast.
nmap is a bit of a joke to be fair, it is incredibly slow and there's no amount of fiddling with the settings that'll make it faster (even for simple SYN scans).
Scanning every single TCP port on a host will require 65536 packets, those packets will all be about 40 bytes in size. That's only 2.6 megabytes, so on a 100Mbit link that should take around 200ms to send.
This is a pretty trivial exercise to implement yourself, but for pre-existing tools you can look at masscan and zmap. However, these will not provide the version detection nmap does.
So you are saying to use a different tool to be fast but to use name for feature detection... Nmap is pretty darn fast if you disable feature detection!
>Nmap is pretty darn fast if you disable feature detection!
No it isn't, nmap is ridiculously slow no matter what you do.
The only thing it does well is version detection, but you can do that too way faster.
If you specifically need nmaps version detection, sure use it. Otherwise you might be better off using masscan, it tends to do a pretty good job even with the default banner grabbing.
It'll help you with logs but certainly not provide the same peace of mind that key auth or even post login TOTP provides.
Cool project nevertheless.