Menu
▾
▴
Re: [Sshguard-users] Dynamic hostnames in the whitelist
|
From: Kevin Z. <kev...@gm...> - 2016-01-26 00:33:50
|
On 01/24/2016 09:40, Don Coleman wrote: > sshguard (as of 1.6.2) operates internally on ip addresses. It maps > hostnames to ip addresses only at startup time, and this is > fundamentally flawed, as hostname to ip addresses mappings change over time. The whitelisting feature itself might be fundamentally flawed. I believe the original intent was to prevent self-lockouts. However, SSHGuard is designed to mitigate brute-force attacks, so if SSHGuard was designed perfectly (which it isn't) and you aren't brute-forcing yourself, then you shouldn't need whitelisting. If you want to prevent self-lockouts, the best thing to do is add a firewall rule that unconditionally allows your traffic. But if you can do that, why not deny all traffic except for your own? If you use blacklisting, whitelisting is potentially useful. Otherwise, SSHGuard will always unblock your address after a certain amount of time. It shouldn't be too long since you're not brute-forcing yourself. I'd like to hear more from people who use some combination of whitelisting and blacklisting: what do you use it for? I (personally) don't use either and find it difficult to justify a correct but somewhat complex feature as keeping hostnames updated. (I believe ntimed has a good solution for the "hostnames changing from underneath you" issue. It was designed for addresses that come and go, such as pool.ntp.org, but sounds like it could be used here.) Best, Kevin -- Kevin Zheng kev...@gm... | ke...@kd... | PGP: 0xC22E1090 |
