From 46f92f6bb65ffe8d8f3e75a714f04bd98ddbcd95 Mon Sep 17 00:00:00 2001 From: Michael Neumann Date: Tue, 13 Jan 2015 22:15:28 +0100 Subject: [PATCH] sshlockout - Handle IPv6 and don't block localhost --- usr.sbin/sshlockout/sshlockout.8 | 1 - usr.sbin/sshlockout/sshlockout.c | 23 ++++++++++++++++++++++- 2 files changed, 22 insertions(+), 2 deletions(-) diff --git a/usr.sbin/sshlockout/sshlockout.8 b/usr.sbin/sshlockout/sshlockout.8 index 0d33befbd0..ac42f72533 100644 --- a/usr.sbin/sshlockout/sshlockout.8 +++ b/usr.sbin/sshlockout/sshlockout.8 @@ -70,7 +70,6 @@ This program generally limits brute-force attempts to break into a machine via ssh. .Sh NOTICE This program is still a work in progress. -Currently this program only operates on IPV4 addresses. .Sh SEE ALSO .Xr ssh 1 , .Xr sshd 8 , diff --git a/usr.sbin/sshlockout/sshlockout.c b/usr.sbin/sshlockout/sshlockout.c index ccd8082279..a613a053e2 100644 --- a/usr.sbin/sshlockout/sshlockout.c +++ b/usr.sbin/sshlockout/sshlockout.c @@ -53,6 +53,7 @@ #include #include #include +#include typedef struct iphist { struct iphist *next; @@ -154,7 +155,27 @@ checkip(const char *str, const char *reason1, const char *reason2) { if (sscanf(str, "%d.%d.%d.%d", &n1, &n2, &n3, &n4) == 4) { snprintf(ips, sizeof(ips), "%d.%d.%d.%d", n1, n2, n3, n4); } - // TODO: Check for IPv6 address + else { + /* + * Check for IPv6 address (primitive way) + */ + int cnt = 0; + while (str[cnt] == ':' || isxdigit(str[cnt])) { + ++cnt; + } + if (cnt > 0 && cnt < (int)sizeof(ips)) { + memcpy(ips, str, cnt); + ips[cnt] = '\0'; + } + } + + /* + * We do not block localhost as is makes no sense. + */ + if (strcmp(ips, "127.0.0.1") == 0) + return; + if (strcmp(ips, "::1") == 0) + return; if (strlen(ips) > 0) { -- 2.41.0