GeoIP support - DenyCountry

David Walker openssh-list at grax.com
Wed Jan 22 04:42:10 EST 2003


On Tuesday 21 January 2003 10:02 am, Nick Lange wrote:
> Quick response,
> 	While I hope this patch does not get accepted into openssh, I do think
> it's a nice idea in concept; however, a priori, relying on a commercial
> vendor in free software is a bad idea. Not to mention that this code
> belongs in a netfilter module if you want to deploy this system wide.
> Furthermore, realize that by this point in the code the connection has
> already occurred, which I think is the opposite of what you want.

I am working on a userspace implementation with netfilter and libipq but that 
will have to wait til I get more free time.

Since the connection has occured by the time this code is called this code is 
more useful with a non-standard ssh port as it reveals an open port but not 
what app is running.  I am not sure if you can make a port appear closed from 
within an application which means that netfilter integration is much 
preferred.

>
>   BUT, you're code seems to affect a small enough section of the code that
> it should be maintainable between versions w/o too much work [if any?]. So
> why not set up a webpage with your patch on it that people can hit?

So far I am the only one I am aware of that is interested in this. 

>
> And lastly, why not parse the countries in a delimited list? that way only
> one line is necessary in the configuration?

I don't really have a preference.  When I was writing it the multiline thing 
seemed easier to write.
>
> Cheers,
> nick
>
> David Walker a écrit:
> > Without GeoIP I have no way of knowing where the user is coming from.
> > So if I want to use tcpwrappers I would have to put a GeoIP patch into
> > tcpwrappers.
> >
> > Reverse DNS does not count.  Administrators do not have to set up reverse
> > DNS or they can set it to whatever they like.
> >
> > On Saturday 18 January 2003 05:44 pm, Sean Kamath wrote:
> >>Perhaps I'm missing something, but wouldn't it make more sense to
> >>use tcpwrappers with SSH?  That way, you could basically deny all
> >>connections to any ports sourced outside the US. . .
> >>
> >>Just a thought. . .
> >>
> >>Sean
> >>
> >>
> >>[In a message on Sat, 18 Jan 2003 17:26:23 CST,
> >>  David Walker wrote:]
> >>
> >>>It is not a security mechanism as such.  It is a scan reduction tool.
> >>>
> >>>It is useful for my network in that all of my users are based in the
> >>>United States.  Any connection from outside the United States is
> >>>automatically known to be bogus and there is no reason to allow it to
> >>>continue.
> >>>
> >>>Granted there are plenty of bogus users within the United States but
> >>> there is no reason in my mind to add the rest of the world to that.  A
> >>> significant portion of the scans that reach my network are from outside
> >>> the United States while nothing in my network (at the current time)
> >>> offers any benefit to a non-US user.
> >>>
> >>>On Saturday 18 January 2003 05:09 pm, Jakob Schlyter wrote:
> >>>>I strongly recommend that this patch is rejected and not integrated in
> >>>>nor distributed with openssh. the whole idea behind - as a security
> >>>>mechanism - is totally bogus.
> >>>>
> >>>>	jakob
> >>>
> >>>_______________________________________________
> >>>openssh-unix-dev mailing list
> >>>openssh-unix-dev at mindrot.org
> >>>http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
> >
> > _______________________________________________
> > openssh-unix-dev mailing list
> > openssh-unix-dev at mindrot.org
> > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev




More information about the openssh-unix-dev mailing list