lately there was a discussion who to restrict access to a dropbear server. The
result were some solutions outside dropbear. I have attached a patch to show
how this could be done. It uses fnmatch() what means the patch is small and the
pattern is simple. (Try -D 192.168.1.*)
re,
wh
--- svr-runopts.c~ 2020-10-29 14:35:50.000000000 +0100
+++ svr-runopts.c 2021-05-29 23:01:01.087078502 +0200
@@ -102,6 +102,7 @@
"-W <receive_window_buffer> (default %d, larger may be faster, max 1MB)\n"
"-K <keepalive> (0 is never, default %d, in seconds)\n"
"-I <idle_timeout> (0 is never, default %d, in seconds)\n"
+ "-D <pattern> (Host deny pattern e.g. 192.168.1.*)\n"
#if DROPBEAR_PLUGIN
"-A <authplugin>[,<options>]\n"
" Enable external public key auth through <authplugin>\n"
@@ -163,6 +164,7 @@
svr_opts.hostkey = NULL;
svr_opts.delay_hostkey = 0;
svr_opts.pidfile = DROPBEAR_PIDFILE;
+ svr_opts.deny = NULL;
#if DROPBEAR_SVR_LOCALTCPFWD
svr_opts.nolocaltcp = 0;
#endif
@@ -247,6 +249,9 @@
case 'P':
next = &svr_opts.pidfile;
break;
+ case 'D':
+ next = &svr_opts.deny;
+ break;
#if DO_MOTD
/* motd is displayed by default, -m turns it off */
case 'm':
--- svr-main.c~ 2020-10-29 14:35:50.000000000 +0100
+++ svr-main.c 2021-05-29 23:32:29.106964013 +0200
@@ -23,6 +23,7 @@
* SOFTWARE. */
#include "includes.h"
+#include <fnmatch.h>
#include "dbutil.h"
#include "session.h"
#include "buffer.h"
@@ -249,6 +250,15 @@
/* Limit the number of unauthenticated connections per IP */
getaddrstring(&remoteaddr, &remote_host, NULL, 0);
+ if (debug_trace)
+ printf("%s:%s %s\n",__func__,remote_host,svr_opts.deny);
+ /* ignore certain IPs*/
+ if (svr_opts.deny)
+ {
+ if (fnmatch(svr_opts.deny,remote_host,FNM_PATHNAME) == 0)
+ goto out;
+ }
+
num_unauthed_for_addr = 0;
num_unauthed_total = 0;
for (j = 0; j < MAX_UNAUTH_CLIENTS; j++) {
--- runopts.h~ 2021-06-06 14:57:29.591763229 +0200
+++ runopts.h 2021-05-29 22:48:27.789528236 +0200
@@ -124,6 +124,7 @@
char * pidfile;
char * forced_command;
+ char *deny;
#if DROPBEAR_PLUGIN
char *pubkey_plugin;
