Re: restrict access
Walter Harms wrote in : |I did a little experiment and it worked. | | if (fnmatch("192.168.1.*",remote_host,FNM_PATHNAME) != 0) | goto out; | |this will allow only connections from 192.168.1.* to the server |that shows the change can be very simple. I did not try with more compli\ |cated situations. The limits of this approach needs to be evaluated. Since the begin of this thread this sounds like a 100% firewall thing to me. Why would you like to compile this in? I mean, i can imagine the NetBSD/FreeBSD black(now block)list approach in which a server software who "knows" what has happened acts via a hook instead of let some expensive log parser reevaluate state which is known in the moment the log happens. But this? I am not an administrator and thus firewall guru, but i for example have in my net-qos.sh:fwcore_start() (heavily vaporised this is) change_chain INPUT new_chain i_good i_alien i_sshorvpn i_tcp_new add_rule -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT add_rule -j i_good add_rule -j i_alien add_rule -p tcp --syn -m conntrack --ctstate NEW -j i_tcp_new change_chain i_tcp_new fwcore_has_i ssh && add_rule -p tcp --dport ${p_ssh} -j i_sshorvpn change_chain i_sshorvpn So and in here you can allow or deny ssh-specific anyway you want to, add, remove and change, use "-m recent" and hitcounts etc., and all without recompilation. (Having real address and/or CIDR tables which could be managed separately would be cool though.) --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
Re: Dropbear 2018.76
I want to point out that Konstantin Tokarev was Cc:d in my message, his name has been stripped by the ML. --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
Re: Dropbear 2018.76
Matt Johnston <m...@ucc.asn.au> wrote: |On 2 March 2018 6:17:42 pm AWST, Konstantin Tokarev <annu...@yandex.ru> \ |wrote: |>02.03.2018, 00:18, "Steffen Nurpmeso" <stef...@sdaoden.eu>: |>>> ok?? Ok, so how about "-o ProxyLocalhost=PORT"? |> |>There is no such option in openssh | |I'm not opposed to adding options just for dropbear. Another alternative \ |that might be more flexible would be | |-o keyhostname=example.com localhost:7766 | |With example.com used for known_hosts matching. Then the proxy tcp \ |destination could be a remote host too if desired. Thoughts? I do not like the hunk in cli-runopts.c, line 681. The test is now useless and depends on the order on the command line. Regarding yours: isn't that much harder to implement? The nice thing about this patch is that it is so small and could be carried along for over four years without having a look :). I mean, today with all those docker images and entire vde2 local networks etc. the need as such can easily be seen as something ridiculous, i know... Ciao! --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
Re: Dropbear 2018.76
Matt Johnstonwrote: |Dropbear 2018.76 is released. As well as the usual Thank you! And yes, i am still using such grumpy networks with VMs, so please let me post the "git am" mailbox that adds support for proxy-over- localhost. Ciao, --steffen | |Der Kragenbaer,The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt) db-diff.mbox Description: application/mbox