GeoIP support - DenyCountry
Nick Lange
nicklange at wi.rr.com
Wed Jan 22 03:02:55 EST 2003
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Quick response,
While I hope this patch does not get accepted into openssh, I do think it's a
nice idea in concept; however, a priori, relying on a commercial vendor in free
software is a bad idea. Not to mention that this code belongs in a netfilter
module if you want to deploy this system wide. Furthermore, realize that by this
point in the code the connection has already occurred, which I think is the
opposite of what you want.
BUT, you're code seems to affect a small enough section of the code that it
should be maintainable between versions w/o too much work [if any?]. So why not
set up a webpage with your patch on it that people can hit?
And lastly, why not parse the countries in a delimited list? that way only one
line is necessary in the configuration?
Cheers,
nick
David Walker a écrit:
> Without GeoIP I have no way of knowing where the user is coming from.
> So if I want to use tcpwrappers I would have to put a GeoIP patch into
> tcpwrappers.
>
> Reverse DNS does not count. Administrators do not have to set up reverse DNS
> or they can set it to whatever they like.
>
> On Saturday 18 January 2003 05:44 pm, Sean Kamath wrote:
>
>>Perhaps I'm missing something, but wouldn't it make more sense to
>>use tcpwrappers with SSH? That way, you could basically deny all
>>connections to any ports sourced outside the US. . .
>>
>>Just a thought. . .
>>
>>Sean
>>
>>
>>[In a message on Sat, 18 Jan 2003 17:26:23 CST,
>> David Walker wrote:]
>>
>>
>>>It is not a security mechanism as such. It is a scan reduction tool.
>>>
>>>It is useful for my network in that all of my users are based in the
>>>United States. Any connection from outside the United States is
>>>automatically known to be bogus and there is no reason to allow it to
>>>continue.
>>>
>>>Granted there are plenty of bogus users within the United States but there
>>>is no reason in my mind to add the rest of the world to that. A
>>>significant portion of the scans that reach my network are from outside
>>>the United States while nothing in my network (at the current time)
>>>offers any benefit to a non-US user.
>>>
>>>On Saturday 18 January 2003 05:09 pm, Jakob Schlyter wrote:
>>>
>>>>I strongly recommend that this patch is rejected and not integrated in
>>>>nor distributed with openssh. the whole idea behind - as a security
>>>>mechanism - is totally bogus.
>>>>
>>>> jakob
>>>
>>>_______________________________________________
>>>openssh-unix-dev mailing list
>>>openssh-unix-dev at mindrot.org
>>>http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
>
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQE+LW8zUpjBJywc+asRAjx0AKCJVEZ4ZJeIFxfRd5oaaTkP8BWgtgCfd1jk
mIPVsMVDKYrg2shnZo1IegE=
=oAdL
-----END PGP SIGNATURE-----
More information about the openssh-unix-dev
mailing list