'AW: restrict access'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       dropbear
Subject:    AW: restrict access
From:       Walter Harms <wharms () bfs ! de>
Date:       2021-05-24 21:01:32
Message-ID: c5f4926e2308461ab1fa7d7be0b3b5c5 () bfs ! de
[Download RAW message or body]

I did a little experiment and it worked.

 if (fnmatch("192.168.1.*",remote_host,FNM_PATHNAME) != 0)
			    goto out;

this will allow only connections from 192.168.1.* to the server
that shows the change can be very simple. I did not try with more complicated \
situations. The limits of this approach needs to be evaluated. 

________________________________________
Von: Dropbear <dropbear-bounces@ucc.asn.au> im Auftrag von Sebastian Gottschall \
                <s.gottschall@dd-wrt.com>
Gesendet: Sonntag, 23. Mai 2021 02:34
An: Hans Harder
Cc: dropbear@ucc.asn.au
Betreff: Re: restrict access

WARNUNG: Diese E-Mail kam von außerhalb der Organisation. Klicken Sie nicht auf Links \
oder öffnen Sie keine Anhänge, es sei denn, Sie kennen den/die Absender*in und \
wissen, dass der Inhalt sicher ist.


i know .but consider that this was not my request. i was just answering
a question and giving a suggestion.
so i have no intentions to implement this on my side

Am 21.05.2021 um 16:56 schrieb Hans Harder:
> You can add some small code  in svr_main.c for allowing/denying remote
> servers based on their ip address
> 
> getaddrstring(&remoteaddr, &remote_host, NULL, 0);
> /* HH hostallow start */
> /* Check if remote host is allowed */
> if (hostallow_check(remote_host) == 0) {
> fprintf(stderr,"Not allowed, closing connection\n");
> goto out;
> }
> /* HH hostallow end */
> /* Limit the number of unauthenticated
> connections per IP */
> num_unauthed_for_addr = 0;
> num_unauthed_total = 0;
> for (j = 0; j < MAX_UNAUTH_CLIENTS; j++) {
> 
> just add something like this in svr_main.c in the  the main_noinetd function
> I check in the hostallow_check function if there is a certain file
> like  host_<remote_host>.allow in a certain directory
> if not it will close the connection.
> 
> Hans
> 
> 
> On Thu, May 20, 2021 at 5:05 PM Sebastian Gottschall
> <s.gottschall@dd-wrt.com> wrote:
> > what about a feature like blocking a client for N minutes if more than N
> > times of failed logins. its relativily easy to implement and lows down
> > brute force attacks
> > 
> > Am 20.05.2021 um 16:44 schrieb Matt Johnston:
> > > On Thu, May 20, 2021 at 02:29:20PM +0000, Walter Harms wrote:
> > > > Thx for the fast response,
> > > > for the background: little system, far-far-away land, but some script-kiddie \
> > > > is filling the log ... so no iptables or other fancy stuff. Seems i have to \
> > > > change that, somehow. 
> > > > @matt:
> > > > in case i get something working ...
> > > > i am thinking about fnmatch and inet_ntoa would that be acceptable ?
> > > I'm not really sure it's the job of Dropbear to be doing
> > > that filtering. Though I wonder if it might make sense to
> > > optionally not bother logging failed SSH auth attempts,
> > > given how many there are...
> > > 
> > > Cheers,
> > > Matt
> > > 


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic