GeoIP support - DenyCountry

Ben Lindstrom mouring at etoh.eviladmin.org
Sun Jan 19 06:18:51 EST 2003


On Sat, 18 Jan 2003, David Walker wrote:

> Without GeoIP I have no way of knowing where the user is coming from.
> So if I want to use tcpwrappers I would have to put a GeoIP patch into
> tcpwrappers.
>

That would make much more sense to me.

- Ben

> Reverse DNS does not count.  Administrators do not have to set up reverse DNS
> or they can set it to whatever they like.
>
> On Saturday 18 January 2003 05:44 pm, Sean Kamath wrote:
> > Perhaps I'm missing something, but wouldn't it make more sense to
> > use tcpwrappers with SSH?  That way, you could basically deny all
> > connections to any ports sourced outside the US. . .
> >
> > Just a thought. . .
> >
> > Sean
> >
> >
> > [In a message on Sat, 18 Jan 2003 17:26:23 CST,
> >   David Walker wrote:]
> >
> > >It is not a security mechanism as such.  It is a scan reduction tool.
> > >
> > >It is useful for my network in that all of my users are based in the
> > > United States.  Any connection from outside the United States is
> > > automatically known to be bogus and there is no reason to allow it to
> > > continue.
> > >
> > >Granted there are plenty of bogus users within the United States but there
> > > is no reason in my mind to add the rest of the world to that.  A
> > > significant portion of the scans that reach my network are from outside
> > > the United States while nothing in my network (at the current time)
> > > offers any benefit to a non-US user.
> > >
> > >On Saturday 18 January 2003 05:09 pm, Jakob Schlyter wrote:
> > >> I strongly recommend that this patch is rejected and not integrated in
> > >> nor distributed with openssh. the whole idea behind - as a security
> > >> mechanism - is totally bogus.
> > >>
> > >> 	jakob
> > >
> > >_______________________________________________
> > >openssh-unix-dev mailing list
> > >openssh-unix-dev at mindrot.org
> > >http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
>




More information about the openssh-unix-dev mailing list