Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 6 Feb 2006 11:18:16 -0600
From:      Noel Jones <noeldude@gmail.com>
To:        freebsd-questions@freebsd.org
Subject:   Re: sshd possible breakin attempt messages
Message-ID:  <cce506b0602060918n2d63e08cq1b23ea4b7e5a602b@mail.gmail.com>
In-Reply-To: <20060206162304.GA83056@gilmer.org>
References:  <20060206162304.GA83056@gilmer.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 2/6/06, Brad Gilmer <bgilmer@gilmer.org> wrote:
> Hello all,
>
> I guess one of the banes of our existance as Sys Admins is that people ar=
e always pounding away at our systems trying to break in.  Lately, I have b=
een getting hit with several hundred of the messages below per dayin my sec=
urity report output...
>
> gilmer.org login failures:
> Feb  5 11:18:17 gilmer sshd[78078]: reverse mapping checking getaddrinfo =
for 206-171-37-232.ded.pacbell.net failed - POSSIBLE BREAKIN ATTEMPT!
> Feb  5 11:18:18 gilmer sshd[78080]: reverse mapping checking getaddrinfo =
for 206-171-37-232.ded.pacbell.net failed - POSSIBLE BREAKIN ATTEMPT!
> Feb  5 11:18:20 gilmer sshd[78082]: reverse mapping checking getaddrinfo =
for 206-171-37-232.ded.pacbell.net failed - POSSIBLE BREAKIN ATTEMPT!
>
> I am running FreeBSD 5.4 RELEASE, and right now this box is not a product=
ion machine, but I am going to be taking it live fairly soon.  Questions:
>
> 1)  Is there anything I should be doing to thwart this particular attack?

The POSSIBLE BREAKIN ATTEMPT message is caused by a failed reverse DNS
lookup, and will happen with legit logins too if you have no reverse
DNS.  You can silence this particular message by adding to your
/etc/ssh/sshd_config:
UseDNS no

To prevent attackers from hammering away at your server, try
ports/security/bruteforceblocker
Bruteforceblocker by default adds an abusive IP to the a pf firewall
blacklist, but can be very easily modified for IPFW or adding a null
route.

> 2)  Given that I am on 5.4, should I upgrade my sshd or do anything else =
at this point to make sure my machine is as secure as possible?

Just keep up with the version 5 security patches.

> 3)  (Meta-question) - Should I upgrade to 6.0 before I go live to be sure=
 I am in the best possible security situation going forward?  Should I wait=
 until 6.1 for bug fixes (generally I am opposed to n.0 anything).

Your call.  Base your decision on what features you need.

--
Noel Jones

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?cce506b0602060918n2d63e08cq1b23ea4b7e5a602b>