lately there was a discussion who to restrict access to a dropbear server. The
result were some solutions outside dropbear. I have attached a patch to show
how this could be done. It uses fnmatch() what means the patch is small and the
pattern is simple. (Try -D 192.168.1.*)
re,
wh
--- svr
: Steffen Nurpmeso
Gesendet: Dienstag, 25. Mai 2021 02:40:50
An: Walter Harms
Cc: dropbear@ucc.asn.au
Betreff: Re: restrict access
WARNUNG: Diese E-Mail kam von außerhalb der Organisation. Klicken Sie nicht auf
Links oder öffnen Sie keine Anhänge, es sei denn, Sie kennen den/die
Absender*in und wissen
hem) on your embedded system, this is clearly an
> option.
>
> re,
> wh
>
> Von: Steffen Nurpmeso
> Gesendet: Dienstag, 25. Mai 2021 02:40:50
> An: Walter Harms
> Cc: dropbear@ucc.asn.au
> Betreff: Re: restrict access
>
situations. The limits of this approach needs to be evaluated.
Von: Dropbear im Auftrag von Sebastian Gottschall
Gesendet: Sonntag, 23. Mai 2021 02:34
An: Hans Harder
Cc: dropbear@ucc.asn.au
Betreff: Re: restrict access
WARNUNG: Diese E-Mail kam von auß
Walter Harms wrote in
:
|I did a little experiment and it worked.
|
| if (fnmatch("192.168.1.*",remote_host,FNM_PATHNAME) != 0)
| goto out;
|
|this will allow only connections from 192.168.1.* to the server
|that shows the change can be very simple. I did not try with more compli\
i know .but consider that this was not my request. i was just answering
a question and giving a suggestion.
so i have no intentions to implement this on my side
Am 21.05.2021 um 16:56 schrieb Hans Harder:
You can add some small code in svr_main.c for allowing/denying remote
servers based on
You can add some small code in svr_main.c for allowing/denying remote
servers based on their ip address
getaddrstring(, _host, NULL, 0);
/* HH hostallow start */
/* Check if remote host is allowed */
if
that be acceptable ?
re,
wh
Von: Dropbear im Auftrag von Sebastian Gottschall
Gesendet: Donnerstag, 20. Mai 2021 15:53
An: dropbear@ucc.asn.au
Betreff: Re: restrict access
isnt that a job for netfilter?
Am 20.05.2021 um 15:23 schrieb Walter Harms
I've used successfully (well, at least I believe it's successful) sshblack (
http://www.pettingers.org/code/sshblack.html) to block those pesky robots
through iptables.
To get it to work correctly It's not as obvious as it seems... and there
are some limitations, but once you are familiar with it,
what about a feature like blocking a client for N minutes if more than N
times of failed logins. its relativily easy to implement and lows down
brute force attacks
Am 20.05.2021 um 16:44 schrieb Matt Johnston:
On Thu, May 20, 2021 at 02:29:20PM +, Walter Harms wrote:
Thx for the fast
On Thu, May 20, 2021 at 02:29:20PM +, Walter Harms wrote:
> Thx for the fast response,
> for the background: little system, far-far-away land, but some script-kiddie
> is filling the log ...
> so no iptables or other fancy stuff. Seems i have to change that, somehow.
>
> @matt:
> in case i
:
in case i get something working ...
i am thinking about fnmatch and inet_ntoa would that be acceptable ?
re,
wh
Von: Dropbear im Auftrag von Sebastian Gottschall
Gesendet: Donnerstag, 20. Mai 2021 15:53
An: dropbear@ucc.asn.au
Betreff: Re: restrict access
isnt that a job for netfilter?
Am 20.05.2021 um 15:23 schrieb Walter Harms:
Hello List,
actually i expected this would be a FAQ but i can not find an answer:
How can i restrict the hosts that are allowed to access the
dropbear server ?
re,
wh
Hi Walter,
Dropbear doesn't have IP restrictions built in. You could use
iptables/nftables, or tcpwrappers etc if you're running
Dropbear in inetd mode.
Cheers,
Matt
On Thu, May 20, 2021 at 01:23:28PM +, Walter Harms wrote:
> Hello List,
> actually i expected this would be a FAQ but i can
Hello List,
actually i expected this would be a FAQ but i can not find an answer:
How can i restrict the hosts that are allowed to access the
dropbear server ?
re,
wh
15 matches
Mail list logo