lately there was a discussion who to restrict access to a dropbear server. The result were some solutions outside dropbear. I have attached a patch to show how this could be done. It uses fnmatch() what means the patch is small and the pattern is simple. (Try -D 192.168.1.*)
re, wh
--- svr-runopts.c~ 2020-10-29 14:35:50.000000000 +0100 +++ svr-runopts.c 2021-05-29 23:01:01.087078502 +0200 @@ -102,6 +102,7 @@ "-W <receive_window_buffer> (default %d, larger may be faster, max 1MB)\n" "-K <keepalive> (0 is never, default %d, in seconds)\n" "-I <idle_timeout> (0 is never, default %d, in seconds)\n" + "-D <pattern> (Host deny pattern e.g. 192.168.1.*)\n" #if DROPBEAR_PLUGIN "-A <authplugin>[,<options>]\n" " Enable external public key auth through <authplugin>\n" @@ -163,6 +164,7 @@ svr_opts.hostkey = NULL; svr_opts.delay_hostkey = 0; svr_opts.pidfile = DROPBEAR_PIDFILE; + svr_opts.deny = NULL; #if DROPBEAR_SVR_LOCALTCPFWD svr_opts.nolocaltcp = 0; #endif @@ -247,6 +249,9 @@ case 'P': next = &svr_opts.pidfile; break; + case 'D': + next = &svr_opts.deny; + break; #if DO_MOTD /* motd is displayed by default, -m turns it off */ case 'm':
--- svr-main.c~ 2020-10-29 14:35:50.000000000 +0100 +++ svr-main.c 2021-05-29 23:32:29.106964013 +0200 @@ -23,6 +23,7 @@ * SOFTWARE. */ #include "includes.h" +#include <fnmatch.h> #include "dbutil.h" #include "session.h" #include "buffer.h" @@ -249,6 +250,15 @@ /* Limit the number of unauthenticated connections per IP */ getaddrstring(&remoteaddr, &remote_host, NULL, 0); + if (debug_trace) + printf("%s:%s %s\n",__func__,remote_host,svr_opts.deny); + /* ignore certain IPs*/ + if (svr_opts.deny) + { + if (fnmatch(svr_opts.deny,remote_host,FNM_PATHNAME) == 0) + goto out; + } + num_unauthed_for_addr = 0; num_unauthed_total = 0; for (j = 0; j < MAX_UNAUTH_CLIENTS; j++) {
--- runopts.h~ 2021-06-06 14:57:29.591763229 +0200 +++ runopts.h 2021-05-29 22:48:27.789528236 +0200 @@ -124,6 +124,7 @@ char * pidfile; char * forced_command; + char *deny; #if DROPBEAR_PLUGIN char *pubkey_plugin;