IP Based Authenticator

[JASon]

I'm looking at deploying RPyC onto a mix of Win and Linux servers at
work, and we are obviously trying to be security concious. We really
like the ability to do authentication-based TLS/SSL encrypted
connections. However, we're wondering if it's possible (read: has
anyone done it, and would be willing to help me out) to add a specific
list of IP addresses that the server service will only accept
connections from. Basically it's a second layer of security; first
layer is a valid username/password combination, second layer is the
connection being initiated from a computer with a valid IP.

[Felipe Reyes]

El vie, 24-07-2009 a las 07:39 -0700, JASon escribió:
> However, we're wondering if it's possible (read: has
> anyone done it, and would be willing to help me out) to add a specific
> list of IP addresses that the server service will only accept
> connections from.

What about a set of rules in the firewall?, probably that will have a
better performance, especially if somebody tries a DoS attack or brute
force.

Regards,
--
Felipe Reyes Astorga
counter.li.org #316380

[tomer filiba]

well, for once, i'm against paranoia. unless your rpyc servers are open to the internet, i don't see why you would want to go filtering specific ips -- either you trust your network, i.e., behind a DMZ/FW, etc., or you don't. then again, if your place uses NFS (which authenticates based on the client's uid) or windows, chances are you're compromised already :)

anyway, that's none of my business, so here's a sketch:

def ip_authenticator(sock):
    ip, port = sock.getpeername()
    if ip not in allowed_ips:
        raise AuthenticationError()
    return sock

you'll need to chain it with the VDB authenticator, but that's trivial.

hope it helps,
-tomer


An NCO and a Gentleman