Menu
▾
▴
Re: [Sshguard-users] Dynamic hostnames in the whitelist
|
From: James H. <jam...@gm...> - 2016-01-24 21:59:12
|
It sounds like an interesting patch. Going by the TTL is a good hint for how long to track the resolution. I would also suggest parameters for minimum and maximum TTLs to honor. I use a dynamic updated name hosted at google domains. It uses a ridiculously short TTL. I could see others in a similar situation wanting to reduce DNS calls or avoid annoying a provider. On Sun, Jan 24, 2016 at 9:40 AM, Don Coleman <do...@co...> wrote: > > sshguard (as of 1.6.2) operates internally on ip addresses. It maps > hostnames to ip addresses only at startup time, and this is > fundamentally flawed, as hostname to ip addresses mappings change over > time. > > I'm currently working around this by restarting it once a day. This is > effective, but kludgy.. > > I searched the archives for this list, and didn't see any mention of > this issue, so I presume most people aren't concerned with white listing > dynamic hostnames. > > sshguard uses getaddrinfo() to map hostnames to ip addresses. This is > not the proper interface for long-running daemons to be using. > > It probably should be using the res_* functions. It should track the > ttl of hostname mappings in it's whitelist, and re-map them once the ttl > expires. If the remap fails or takes too long, it should probably > continue using the old value for a short additional time, say 5 to 10 > minutes, before trying again (as sshd is already mapping the name to IP > address on each request, a valid mapping should already be in a nearby > dns cache). > > Any interest in this? > > Thanks, > Don > > > ------------------------------------------------------------------------------ > Site24x7 APM Insight: Get Deep Visibility into Application Performance > APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month > Monitor end-to-end web transactions and take corrective actions now > Troubleshoot faster and improve end-user experience. Signup Now! > http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140 > _______________________________________________ > Sshguard-users mailing list > Ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users > -- James Harris Software Engineer jam...@gm... |
