Feature request: allow entering ip addresses in /etc/security/geoip.conf.

vetinari / pam_geoip

pam_geoip - GeoIP account management module for (Linux-)PAM

2 stars 0 forks source link

Feature request: allow entering ip addresses in /etc/security/geoip.conf. #3

Open oppsig opened 3 years ago

oppsig commented 3 years ago

Would it be possible to allow entering ip's in /etc/security/geoip.conf For example running a wireguard server on interface with ip address 10.10.10.2. Then connecting over ssh via the tunnel from ip address 10.10.10.1. So when i connect it sets 10.10.10.1 to UNKNOWN and connections is rejected.

I guess I could enter that ip into the db DAT file and add a country to it but that file is managed by the repository, and I can't load an additional db file right?

Here is en example of what i was thinking.


#<domain>   <service>   <action>    <location>
user1       sshd        allow       US
user2       sshd        allow       US
user3       sshd        allow       10.10.10.1
*               sshd        deny        *
*                       *               ignore      UNKNOWN
*               *               allow       *

Thanks.

oppsig commented 3 years ago

Ok, so I did managed to find a workaround. I'll just post it here in case someone will find it useful.

I changed /etc/security/geoip.conf like this. user3 sshd allow *

Then appended this to sshd config. AllowUsers user3@10.10.10.1 user1 user2

I guess this way it won't do geo filtering for the user3 user but I will still be able to control which connections will make it threw with sshd.

amishmm commented 3 years ago

Why not use pam_access (in addition to pam_geoip)?

Read: man access.conf man pam_access

This is how PAM works, its modular. You just add a module in PAM service file and it does its magic.

And then pam_geoip does Geolocation check and pam_access does IP checks. Avoiding code duplication in two modules.

Your geoip.conf file will have: (just like you said) user3 sshd allow *

Your access.conf will have: +:user3:10.10.10.1 -:user3:ALL

oppsig commented 3 years ago

Hmm I actually tried that earlier but didn't get it to work. Added +:user3:10.10.10.1, but didn't add the -:user3:ALL though, and didn't have any AllowedUsers entry. But will try again later and report back, might have had a typo or something, thanks for the tip! @amishmm😊

oppsig commented 3 years ago

@amishmm ok, I didn't have "account required pam_access.so" uncommented in /etc/pam.d/sshd so that why it probably didn't work. Just wondering does it give any benefits to having pam_access.so manage this instead of in the /etc/ssh/sshd_config with AllowedUsers?

amishmm commented 3 years ago

In my case, instead of putting pam_access.so in /etc/pam.d/sshd, I have put it in top level pam file (like system-remote-login).

So then same policy applies to not just sshd but also for services like dovecot, httpd, ftpd. i.e. I dont have to configure each services. So thats the benefit of using PAM instead of sshd_config.

oppsig commented 3 years ago

@amishmm oh, excellent. Thanks!