Re: restrict access

2021-05-24 Thread Steffen Nurpmeso 
Walter Harms wrote in
 :
 |I did a little experiment and it worked.
 |
 | if (fnmatch("192.168.1.*",remote_host,FNM_PATHNAME) != 0)
 |   goto out;
 |
 |this will allow only connections from 192.168.1.* to the server
 |that shows the change can be very simple. I did not try with more compli\
 |cated situations. The limits of this approach needs to be evaluated. 

Since the begin of this thread this sounds like a 100% firewall
thing to me.  Why would you like to compile this in?

I mean, i can imagine the NetBSD/FreeBSD black(now block)list
approach in which a server software who "knows" what has happened
acts via a hook instead of let some expensive log parser
reevaluate state which is known in the moment the log happens.

But this?  I am not an administrator and thus firewall guru, but
i for example have in my net-qos.sh:fwcore_start() (heavily
vaporised this is)

   change_chain INPUT
   new_chain i_good i_alien i_sshorvpn i_tcp_new

   add_rule -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

   add_rule -j i_good
   add_rule -j i_alien

   add_rule -p tcp --syn -m conntrack --ctstate NEW -j i_tcp_new

   change_chain i_tcp_new

   fwcore_has_i ssh && add_rule -p tcp --dport ${p_ssh} -j i_sshorvpn

   change_chain i_sshorvpn

So and in here you can allow or deny ssh-specific anyway you want
to, add, remove and change, use "-m recent" and hitcounts etc.,
and all without recompilation.  (Having real address and/or CIDR
tables which could be managed separately would be cool though.)

--steffen
|
|Der Kragenbaer,The moon bear,
|der holt sich munter   he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)

Re: Dropbear 2018.76

2018-03-02 Thread Steffen Nurpmeso 
I want to point out that Konstantin Tokarev was Cc:d in my
message, his name has been stripped by the ML.

--steffen
|
|Der Kragenbaer,The moon bear,
|der holt sich munter   he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)

Re: Dropbear 2018.76

2018-03-02 Thread Steffen Nurpmeso 
Matt Johnston <m...@ucc.asn.au> wrote:
 |On 2 March 2018 6:17:42 pm AWST, Konstantin Tokarev <annu...@yandex.ru> \
 |wrote:
 |>02.03.2018, 00:18, "Steffen Nurpmeso" <stef...@sdaoden.eu>:
 |>>> ok?? Ok, so how about "-o ProxyLocalhost=PORT"?
 |>
 |>There is no such option in openssh
 |
 |I'm not opposed to adding options just for dropbear. Another alternative \
 |that might be more flexible would be 
 |
 |-o keyhostname=example.com localhost:7766
 |
 |With example.com used for known_hosts matching. Then the proxy tcp \
 |destination could be a remote host too if desired. Thoughts?

I do not like the hunk in cli-runopts.c, line 681.  The test is
now useless and depends on the order on the command line.

Regarding yours: isn't that much harder to implement?  The nice
thing about this patch is that it is so small and could be carried
along for over four years without having a look :).  I mean, today
with all those docker images and entire vde2 local networks etc.
the need as such can easily be seen as something ridiculous,
i know...

Ciao!

--steffen
|
|Der Kragenbaer,The moon bear,
|der holt sich munter   he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)

Re: Dropbear 2018.76

2018-02-27 Thread Steffen Nurpmeso 
Matt Johnston  wrote:
 |Dropbear 2018.76 is released. As well as the usual

Thank you!

And yes, i am still using such grumpy networks with VMs, so please
let me post the "git am" mailbox that adds support for proxy-over-
localhost.

Ciao,

--steffen
|
|Der Kragenbaer,The moon bear,
|der holt sich munter   he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)


db-diff.mbox
Description: application/mbox