First time subscriber/poster My attached patch allows GeoIP support for the free GeoIP database and C api from http://www.maxmind.com/ Install GeoIP before compiling and it should work. It adds 2 options to sshd_config DenyCountry Deny access from a specific country based on GeoIP lookup. Use multiple DenyCountry entries to deny access from multiple countries. DenyCountry takes precedence over AllowCountry AllowCountry Allow access from a specific country based on GeoIP lookup. Use multiple AllowCountry entries to allow access from multiple countries. I hardcoded the configure script part of it. ideally it should either detect when GeoIP is installed or accept a --with-geoip parameter or both but I am not too familiar with configure testing. -------------- next part -------------- A non-text attachment was scrubbed... Name: openssh.geoip.patch Type: text/x-diff Size: 8027 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20030118/98e3323b/attachment.bin
I strongly recommend that this patch is rejected and not integrated in nor distributed with openssh. the whole idea behind - as a security mechanism - is totally bogus. jakob
It is not a security mechanism as such. It is a scan reduction tool. It is useful for my network in that all of my users are based in the United States. Any connection from outside the United States is automatically known to be bogus and there is no reason to allow it to continue. Granted there are plenty of bogus users within the United States but there is no reason in my mind to add the rest of the world to that. A significant portion of the scans that reach my network are from outside the United States while nothing in my network (at the current time) offers any benefit to a non-US user. On Saturday 18 January 2003 05:09 pm, Jakob Schlyter wrote:> I strongly recommend that this patch is rejected and not integrated in nor > distributed with openssh. the whole idea behind - as a security mechanism > - is totally bogus. > > jakob
David Walker wrote:> It is not a security mechanism as such. It is a scan reduction tool. > > It is useful for my network in that all of my users are based in the > United States. Any connection from outside the United States is > automatically known to be bogus and there is no reason to allow it > to continue.That functionality more rightly belongs in a firewall than in ssh. You can always place a firewall between ssh and the network. In fact that is probably a good thing regardless. I also do not think that this feature belongs in ssh. Bob