Menu
▾
▴
[Sshguard-users] Dynamic hostnames in the whitelist
|
From: Don C. <do...@co...> - 2016-01-24 18:09:15
|
sshguard (as of 1.6.2) operates internally on ip addresses. It maps hostnames to ip addresses only at startup time, and this is fundamentally flawed, as hostname to ip addresses mappings change over time. I'm currently working around this by restarting it once a day. This is effective, but kludgy.. I searched the archives for this list, and didn't see any mention of this issue, so I presume most people aren't concerned with white listing dynamic hostnames. sshguard uses getaddrinfo() to map hostnames to ip addresses. This is not the proper interface for long-running daemons to be using. It probably should be using the res_* functions. It should track the ttl of hostname mappings in it's whitelist, and re-map them once the ttl expires. If the remap fails or takes too long, it should probably continue using the old value for a short additional time, say 5 to 10 minutes, before trying again (as sshd is already mapping the name to IP address on each request, a valid mapping should already be in a nearby dns cache). Any interest in this? Thanks, Don |
