GeoIP support - DenyCountry

David Walker openssh-list at grax.com
Sun Jan 19 11:09:32 EST 2003


Without GeoIP I have no way of knowing where the user is coming from.
So if I want to use tcpwrappers I would have to put a GeoIP patch into 
tcpwrappers.

Reverse DNS does not count.  Administrators do not have to set up reverse DNS 
or they can set it to whatever they like.

On Saturday 18 January 2003 05:44 pm, Sean Kamath wrote:
> Perhaps I'm missing something, but wouldn't it make more sense to
> use tcpwrappers with SSH?  That way, you could basically deny all
> connections to any ports sourced outside the US. . .
>
> Just a thought. . .
>
> Sean
>
>
> [In a message on Sat, 18 Jan 2003 17:26:23 CST,
>   David Walker wrote:]
>
> >It is not a security mechanism as such.  It is a scan reduction tool.
> >
> >It is useful for my network in that all of my users are based in the
> > United States.  Any connection from outside the United States is
> > automatically known to be bogus and there is no reason to allow it to
> > continue.
> >
> >Granted there are plenty of bogus users within the United States but there
> > is no reason in my mind to add the rest of the world to that.  A
> > significant portion of the scans that reach my network are from outside
> > the United States while nothing in my network (at the current time)
> > offers any benefit to a non-US user.
> >
> >On Saturday 18 January 2003 05:09 pm, Jakob Schlyter wrote:
> >> I strongly recommend that this patch is rejected and not integrated in
> >> nor distributed with openssh. the whole idea behind - as a security
> >> mechanism - is totally bogus.
> >>
> >> 	jakob
> >
> >_______________________________________________
> >openssh-unix-dev mailing list
> >openssh-unix-dev at mindrot.org
> >http://www.mindrot.org/mailman/listinfo/openssh-unix-dev




More information about the openssh-unix-dev mailing list