GeoIP support - DenyCountry

Sean Kamath kamath at geekoids.com
Sun Jan 19 10:44:37 EST 2003


Perhaps I'm missing something, but wouldn't it make more sense to
use tcpwrappers with SSH?  That way, you could basically deny all
connections to any ports sourced outside the US. . .

Just a thought. . .

Sean


[In a message on Sat, 18 Jan 2003 17:26:23 CST,
  David Walker wrote:]
>It is not a security mechanism as such.  It is a scan reduction tool.
>
>It is useful for my network in that all of my users are based in the United 
>States.  Any connection from outside the United States is automatically known 
>to be bogus and there is no reason to allow it to continue.
>
>Granted there are plenty of bogus users within the United States but there is 
>no reason in my mind to add the rest of the world to that.  A significant 
>portion of the scans that reach my network are from outside the United States 
>while nothing in my network (at the current time) offers any benefit to a 
>non-US user.
>
>On Saturday 18 January 2003 05:09 pm, Jakob Schlyter wrote:
>> I strongly recommend that this patch is rejected and not integrated in nor
>> distributed with openssh. the whole idea behind - as a security mechanism
>> - is totally bogus.
>>
>> 	jakob
>
>_______________________________________________
>openssh-unix-dev mailing list
>openssh-unix-dev at mindrot.org
>http://www.mindrot.org/mailman/listinfo/openssh-unix-dev




More information about the openssh-unix-dev mailing list