From owner-freebsd-security@freebsd.org Wed Jul 18 20:07:30 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 33AB81030A77 for ; Wed, 18 Jul 2018 20:07:30 +0000 (UTC) (envelope-from list1@gjunka.com) Received: from msa1.earth.yoonka.com (yoonka.com [88.98.225.149]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "msa1.earth.yoonka.com", Issuer "msa1.earth.yoonka.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 975778A9B0 for ; Wed, 18 Jul 2018 20:07:29 +0000 (UTC) (envelope-from list1@gjunka.com) Received: from ultrabook.yoonka.com (x2f7fcfa.dyn.telefonica.de [2.247.252.250]) (authenticated bits=0) by msa1.earth.yoonka.com (8.15.2/8.15.2) with ESMTPSA id w6IK7LN1038993 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO) for ; Wed, 18 Jul 2018 20:07:21 GMT (envelope-from list1@gjunka.com) X-Authentication-Warning: msa1.earth.yoonka.com: Host x2f7fcfa.dyn.telefonica.de [2.247.252.250] claimed to be ultrabook.yoonka.com To: freebsd-security@freebsd.org From: Grzegorz Junka Subject: Possible break-in attempt? Message-ID: <594ba84b-0691-8471-4bd4-076d0ae3da98@gjunka.com> Date: Wed, 18 Jul 2018 20:07:15 +0000 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-GB-large X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Jul 2018 20:07:30 -0000 Sometimes I am receiving messages like this from my server: nas.myserver.mydomain.com login failures: Jul 17 08:35:02 nas sshd[5994]: reverse mapping checking getaddrinfo for 162.132-254-62.static.virginmediabusiness.co.uk [62.254.132.162] failed - POSSIBLE BREAK-IN ATTEMPT! On different days they are from different IPs and they would-be mapped to different reverse dns names. How to deal with those messages/attempts? GrzegorzJ From owner-freebsd-security@freebsd.org Wed Jul 18 20:13:35 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1C2921030F58 for ; Wed, 18 Jul 2018 20:13:35 +0000 (UTC) (envelope-from patpro@patpro.net) Received: from rack.patpro.net (rack.patpro.net [193.30.227.216]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "patpro.net", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id A18E48AE65 for ; Wed, 18 Jul 2018 20:13:34 +0000 (UTC) (envelope-from patpro@patpro.net) Received: from cassandre.patpro.net (boleskine.patpro.net [82.230.142.222]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by rack.patpro.net (Postfix) with ESMTPSA id C05FA3F43; Wed, 18 Jul 2018 22:13:24 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=patpro.net; s=201806-ee6b3be7; t=1531944805; bh=Q2Nyuqt5q2CIEnAJO9P9OHidDGq0sVjSZoxa3U/glnk=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=YhVh27kxTSF10Ky7CaXFfiG7RXoV7PRDAI3mwdDLLE7SvWF5qSj6yVHCmQhjz7803 nl2FUQNIt5T39xTko60Jk3Jy2OasIBrVPt316C77yKkgdAciChjQuc3HtqnFOZuiH9 ujwQdt4us28Bf8jTyL3m+KBDPYNQ7Auau7vNP3xZKN5IHcKQkiaNRB7xP5gC9yya5/ PKyrDHs+NEM+9vRj8D2meIlOzcGNbSzeCYJ/h6Sikgo8DrIefhH+hxs6RgdLCnZ6eC 73vlmugLvNn9f7Mbw5XY5AqfyubWbvUFYCKsntfcCTPLDn4XMmyB9lrIKQ3M2hsi0N DQti/5+08AE5txid8DcNTheVAZ3vsbgua1CHfDIwn2CggcE1WVJ1N9PljUCXoGxLzB wQWjaIpJk0CWNc2HXlBf8hYCAz8884EfY76Zah2Cavm6vM+GqCgC5/syOnLXbHbtrL n/j/k+uYwV6vrEyq5R+kw3xlL9hpeN+AtNZ1+6XBkklqSscD5eRNE5fmqSblPpn8Lp svsqDp+lrgL4Bnw5FdnQ6Hg+1h9Gi04gKqOCKoL+UOqaZ0FBgSo+Zft3SeXr4fllUV 9f5fk/jayt+VEk5cJv0SCqFg8cQanYqOXkl5jybAarY9nEPtd9TN/PykE+ngH1Hb0J Hk4CLM6yBkmqUWjGWDXfZTes= Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\)) Subject: Re: Possible break-in attempt? From: Patrick Proniewski In-Reply-To: <594ba84b-0691-8471-4bd4-076d0ae3da98@gjunka.com> Date: Wed, 18 Jul 2018 22:13:22 +0200 Cc: freebsd-security@freebsd.org Content-Transfer-Encoding: quoted-printable Message-Id: <368EABCF-A10A-49E9-9473-7753F6BEAA50@patpro.net> References: <594ba84b-0691-8471-4bd4-076d0ae3da98@gjunka.com> To: Grzegorz Junka X-Mailer: Apple Mail (2.3124) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Jul 2018 20:13:35 -0000 Hi, You can ignore them totally (you should), and if you can't, make sure = you limit possibility of brute force attack on your sshd: - configure a firewall to stop them - and/or activate blacklistd on sshd - and/or change listening port of sshd=20 I get thousands of these every day, won't kill you and not worth losing = your time. > On 18 juil. 2018, at 22:07, Grzegorz Junka wrote: >=20 > Sometimes I am receiving messages like this from my server: >=20 > nas.myserver.mydomain.com login failures: > Jul 17 08:35:02 nas sshd[5994]: reverse mapping checking getaddrinfo = for 162.132-254-62.static.virginmediabusiness.co.uk [62.254.132.162] = failed - POSSIBLE BREAK-IN ATTEMPT! >=20 > On different days they are from different IPs and they would-be mapped = to different reverse dns names. How to deal with those = messages/attempts? >=20 > GrzegorzJ >=20 > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to = "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@freebsd.org Wed Jul 18 20:22:25 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8151410318A8 for ; Wed, 18 Jul 2018 20:22:25 +0000 (UTC) (envelope-from sjg@juniper.net) Received: from mx0a-00273201.pphosted.com (mx0a-00273201.pphosted.com [208.84.65.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.pphosted.com", Issuer "thawte SHA256 SSL CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id C22918B51F for ; Wed, 18 Jul 2018 20:22:20 +0000 (UTC) (envelope-from sjg@juniper.net) Received: from pps.filterd (m0108158.ppops.net [127.0.0.1]) by mx0a-00273201.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w6IKEWQw002367; Wed, 18 Jul 2018 13:22:19 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=to : cc : subject : in-reply-to : references : from : mime-version : content-type : content-id : date : message-id; s=PPS1017; bh=Yqg33/lZS09bgpWiLOegI8cdrcyUzBBpGMoc2PQ0Py8=; b=j9/XSlUigOXda/0d4ZErYMkNBjKFMCcryOVHiCqNSogTdwO8HYfGqjxA3PoQ4N5tIXdF dWN8fmYGCyxyqs2leaAEy7TcTRNq+WXo1vgM4sYBnabbFaLPj46Kqw8SKLx+X2E9ByXk TxEBUZB685V+pNVU4RdC+/m/oW1G9FaSR4MfTax1KXiPxsFTQMkLwwXNKyLMtqxGe5Ow gZTr/6ja4QOvecU8PbYj/4aM5kUcHgbLUbVrBpbTmpb7seCzM3uVeLj6PuCIjGdLShBo Hqhy0A0jVOyc8GLAqxxGdWXGb4ZfvGtmfNfn28RccEJtrtcmVkCUYwqIz/q2y6zMS+l4 IQ== Received: from nam04-co1-obe.outbound.protection.outlook.com (mail-co1nam04lp0048.outbound.protection.outlook.com [216.32.181.48]) by mx0a-00273201.pphosted.com with ESMTP id 2kabr6g2cc-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Wed, 18 Jul 2018 13:22:19 -0700 Received: from SN4PR0501CA0073.namprd05.prod.outlook.com (2603:10b6:803:22::11) by BN3PR0501MB1250.namprd05.prod.outlook.com (2a01:111:e400:4006::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.973.14; Wed, 18 Jul 2018 20:22:16 +0000 Received: from BY2NAM05FT061.eop-nam05.prod.protection.outlook.com (216.32.181.241) by SN4PR0501CA0073.outlook.office365.com (10.171.32.139) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.995.9 via Frontend Transport; Wed, 18 Jul 2018 20:22:16 +0000 Received-SPF: SoftFail (protection.outlook.com: domain of transitioning juniper.net discourages use of 66.129.242.12 as permitted sender) Received: from P-EXFEND-EQX-01.jnpr.net (66.129.242.12) by BY2NAM05FT061.mail.protection.outlook.com (10.152.100.198) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.20.995.0 via Frontend Transport; Wed, 18 Jul 2018 20:22:16 +0000 Received: from P-EXFEND-EQX-01.jnpr.net (10.104.8.54) by P-EXFEND-EQX-01.jnpr.net (10.104.8.54) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Wed, 18 Jul 2018 13:22:11 -0700 Received: from P-EMFE01C-SAC.jnpr.net (172.24.192.43) by P-EXFEND-EQX-01.jnpr.net (10.104.8.54) with Microsoft SMTP Server (TLS) id 15.0.1367.3 via Frontend Transport; Wed, 18 Jul 2018 13:22:11 -0700 Received: from p-mailhub01.juniper.net (10.47.226.20) by P-EMFE01C-SAC.jnpr.net (172.24.192.21) with Microsoft SMTP Server (TLS) id 14.3.123.3; Wed, 18 Jul 2018 13:21:32 -0700 Received: from kaos.jnpr.net (kaos.jnpr.net [172.21.30.60]) by p-mailhub01.juniper.net (8.14.4/8.11.3) with ESMTP id w6IKLWAX006988; Wed, 18 Jul 2018 13:21:32 -0700 (envelope-from sjg@juniper.net) Received: by kaos.jnpr.net (Postfix, from userid 1377) id 2C2D112996; Wed, 18 Jul 2018 13:21:32 -0700 (PDT) Received: from kaos.jnpr.net (localhost [127.0.0.1]) by kaos.jnpr.net (Postfix) with ESMTP id 2BC3312995; Wed, 18 Jul 2018 13:21:32 -0700 (PDT) To: Patrick Proniewski CC: Grzegorz Junka , , Subject: Re: Possible break-in attempt? In-Reply-To: <368EABCF-A10A-49E9-9473-7753F6BEAA50@patpro.net> References: <594ba84b-0691-8471-4bd4-076d0ae3da98@gjunka.com> <368EABCF-A10A-49E9-9473-7753F6BEAA50@patpro.net> Comments: In-reply-to: Patrick Proniewski message dated "Wed, 18 Jul 2018 22:13:22 +0200." From: "Simon J. Gerraty" X-Mailer: MH-E 8.6+git; nmh 1.7.1; GNU Emacs 26.1 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <33071.1531945292.1@kaos.jnpr.net> Date: Wed, 18 Jul 2018 13:21:32 -0700 Message-ID: <37044.1531945292@kaos.jnpr.net> X-EOPAttributedMessage: 0 X-MS-Office365-Filtering-HT: Tenant X-Forefront-Antispam-Report: CIP:66.129.242.12; IPV:CAL; SCL:-1; CTRY:US; EFV:NLI; SFV:NSPM; SFS:(10019020)(376002)(346002)(396003)(136003)(39860400002)(2980300002)(189003)(199004)(26826003)(23726003)(336012)(97736004)(186003)(478600001)(86362001)(97876018)(558084003)(6266002)(229853002)(7696005)(69596002)(6246003)(50466002)(53936002)(107886003)(117636001)(76176011)(46406003)(105596002)(9686003)(4326008)(5660300001)(97756001)(2906002)(486006)(68736007)(356003)(16586007)(476003)(76506005)(53416004)(55016002)(6916009)(7126003)(106466001)(26005)(47776003)(11346002)(316002)(446003)(77096007)(2810700001)(81156014)(3480700004)(54906003)(8936002)(50226002)(81166006)(305945005)(126002)(8676002)(90966002)(42262002); DIR:OUT; SFP:1102; SCL:1; SRVR:BN3PR0501MB1250; H:P-EXFEND-EQX-01.jnpr.net; FPR:; SPF:SoftFail; LANG:en; PTR:InfoDomainNonexistent; MX:1; A:1; X-Microsoft-Exchange-Diagnostics: 1; BY2NAM05FT061; 1:qTjxBJ4Pmw5CWpT/mWWwuMxIS8BGI6ny0O7EDo4FEB7cRfT0NzKHXPGJID8CProDKHdD6HDPy/K4y8kOqbmT7vGTc3ILs2nVqCYIffqiAHPr52AC529xj0b3xTrQXkvB X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 196d8474-487b-4264-8b60-08d5ecec27a0 X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989117)(5600053)(711020)(4534165)(4627221)(201703031133081)(201702281549075)(8990107)(2017052603328)(7153060); SRVR:BN3PR0501MB1250; X-Microsoft-Exchange-Diagnostics: 1; BN3PR0501MB1250; 3:ogoKti+4+jkXS7hXhWj11ENtQ9lYzndbAAPnf7gAEQC/JurbjmpFZET/jKQr1rp7u3EOxIFwVm4CQAB5V073Av8w6nAiNKiH0OrkLdQesWiHts/WSlzum1NhCSwTUDeIYJ9fCnFOluChR053Bmq/8vEFyRMUovv0DhpJJO1HkviVurhchBOGyqk05Fma6NseDcsoy/0D19cNr9KrTsMFgRy9ne40FQ7SP96nwqZFxfWtqWEorXLL3jtXnFYNRoYj/B0U0T8+W7bVh4fHetw4AXLbearEBrumSZG9Kh2p2Bi4sJfq2qUbrcHEYPeaeywMODpbiUsClLyU0bu2YZo2iKob1BWzq7hM+u1QRh7lis4=; 25:Cxb/KSPLcJ0eRGEAuExVmtFsCO4iAqgXp5qpBPI4g/KnV6oEm4N9DcZXo0QV0qv2ZvxjSve7AnW3+A/tfa1qBhf60pwmazoQlCLDge7jwz50q0AmEd9IFMt7VB59LAPgJsWrVxqTG4KE81QGRiXeLAGvz6XkhBiSQE8C8mL9kBE4Kr2c7UuUHqHwLZ5c6URNivVccUqqzxVvVKOGed6MwQ0ncrbadTYIph93eWlRbblXch8pDgN9/z/ovj9s5DjHwMJm2SkJUyuto8fo1RLos7wZLod/FsDxMaQ75law21miSZA/yIFuDJvR7FSnDSFHhzlN6mfEixKIbxvX8Pfecw== X-MS-TrafficTypeDiagnostic: BN3PR0501MB1250: X-Microsoft-Exchange-Diagnostics: 1; BN3PR0501MB1250; 31:gQIPXvjt0PPqc+TvJZ5NkglF7jM3MAG1I5kHqiiUIMLzSHx7P6iUdVhxisv10SBaeHFVBJT/7sAkflMxn/TWBcp110UFqei13zTS7QE1P260XO8w4uUqBhyYCGz5K73Ig/nqbeaXe4qJF8QR+ipAyyA1YbDonaOSMwbE6PWEwvOM6qP25DXj0FkNpfNk/ISfxvfVqV+VWijsoLIxnab0CiTGGQ4wzfgUHLEiqM+rmMQ=; 20:Rw08h/wab9rWvrWDfh5/dTaq4B6kHrrSZIj2O1uyaqjaqQz44d2fq7dmHwYP8C5Gv3+jjOxrLlqWMSDqQVJOc6IsQaRQj2NwwVb/PWIp9uah98PpL8PdupOhUl1sMl67btJMWREOgNItmqcaAzoesWEs95ISZNtZ+8KE6c1Sz9TDnyBYIqItCvJpcFWs01Tgx94Hm9Ctm56ISouQNGr0Z36gZHw/Qk4kCAVxSuDLxdhrv45XDKPwdbCAOxHuqtTHuUEPIMkA2Z1ofxzua5ErjVHtShQHvg9nx2aIG/8TSrE0DNSN1VQ27lQvZdBnSx3jFVmDhGuxOpwo5Swq1v7U0GemF0gcnojOVl6Dqctv1JCPlEqm1qMzMTGxeY0p1hr8PrZsk7tLTp5JbJDGJW/Eyr3fnEaDuLId/1ZeBCe6nPLLuJDhJE44kHpeWy8IEfTtytICMZTY3KJZNEEIEKbwx5hziDmHfD0bWg9T2UDoVFCcmeFL3vl4dQmFJ5H3GQP7 X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-Test: UriScan:; X-MS-Exchange-SenderADCheck: 1 X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(8121501046)(5005006)(10201501046)(93006095)(93003095)(3002001)(3231311)(944501410)(52105095)(6055026)(149027)(150027)(6041310)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123560045)(20161123564045)(20161123562045)(20161123558120)(6072148)(201708071742011)(7699016); SRVR:BN3PR0501MB1250; BCL:0; PCL:0; RULEID:; SRVR:BN3PR0501MB1250; X-Microsoft-Exchange-Diagnostics: 1; BN3PR0501MB1250; 4:FQFuJ1/K3fAa8GNYyVFHqMqMjV2/qbfQqRzRSOkyf+ZmqrI/Z2BZStG0Z0pJxM2NMekgsceC23/JK62bvL48YkNGSpnhojNTzae8N1DMkribLgvPYPjy8kjPBwa73WUqXKLDZXZlJo6/QG9g2hAHdiHIHVf8PDHwehMrGlLzmfN1GfzjADPn4ryPuEkteUouO+15ZdTAN6mQ+EnPe5Ulna2VbjZZQBztAu7ALF4JWjCGvIjFxxR2egZ0DaVTa+ILjwx2FgUC8Fst7yJf9bngZA== X-Forefront-PRVS: 0737B96801 X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1; BN3PR0501MB1250; 23:oJwuZMr7WJiVS+seQ3lf5ulW/Bad0mcKLV7Txbk?= =?us-ascii?Q?RCxkKQCJfo5iJfG35QoYuzQfOQ8d7NisCkpAtcD9lKfBdJorvlR9Tzb0g9Gd?= =?us-ascii?Q?INen4o7+y5KhbZNuZ5XFBTZyrCzTWLOnqnnoiDMUcYzKHGqyIP2J6L/ku8+w?= =?us-ascii?Q?d+Oqddp9VgXtso9maPsC+6fdcxHCjd8RWBNYN92N3+bR8+Qlxw9iWyBiVhEa?= =?us-ascii?Q?Nw+EMOv9IvRKTdXdJMFK2f7lN1e6/uqAxc6txkJk3VHxWpP6fJBKqqm3kNxe?= =?us-ascii?Q?HHtRx7lUN0ZxO2JyRoLUZfzsv5yigrsJMsx5i37jnC9/BgwplC1EK9FjxYw9?= =?us-ascii?Q?8W8++C6LUnGyz/6wCuGakRcXMA98uRMJ5pQkLs6GUF8rGNuNKulZmMN+ThIn?= =?us-ascii?Q?Pl18VAHUCzl0RoAZhjo8YDMB+qxgxVJvIv+W5dDRUHzDmcSoqIg/KY98oIZ5?= =?us-ascii?Q?PiHWDJk6q+MbpNF23uV5Q31D48n46CBavRxhCgehDQRKQGXU9cnlF+wjiYsD?= =?us-ascii?Q?4GiZ8MWDPYMce8JX+S9PjJUdLqLf1oZYymvQ55sYi5tW9ujy5HRPendiY3zi?= =?us-ascii?Q?7RbdmoYBf4+F0cUV85eMR8zj1LnTQ3bZGnwU5oNWjwq4T2/Mb4vJU4bvfbIo?= =?us-ascii?Q?aE4ILDcS31CZ2QuNLuBi9/GntNcPYD6kmNuHFieUOF8Qj2kkfn6a4KHZG+ik?= =?us-ascii?Q?JJ9gHcVkCsvsLPds0rYiebGDc23wFVxHkD81L1Ex1XIjbLpcZFAZREI77O68?= =?us-ascii?Q?KK4b0IwhtYMNX7fAra4K8vPUCvOVJG5cJMe3wbVa9cZ+AG8sip/K2PN5Q5SZ?= =?us-ascii?Q?m2MHZ7//2bvOOoBwM8aj3aKRziWc1wSzG4izcpq2eXrUET0BokMZUOVjNnxg?= =?us-ascii?Q?5qc6+3FRQcHaMLT9r9Sjo2sJlnCvIAUfsepaHs7QZr+6fdgKC1Ejy+BuUlBC?= =?us-ascii?Q?xc1C1uJzn+FNbXo3gsdoeCavmmmZUda5iPB4X0pEdwcjzwwrqCYlhBFAATTD?= =?us-ascii?Q?PaCQIh7/cu0ISpgtV1+kUfIkW8KzCvM4MRc7ui29SCUYRs78fPvntWh0vvEc?= =?us-ascii?Q?p4iy5cY1OQ3BioAR0t6G/dnDPtWOrmG9KZNVwdeyuIUqHVLzPfV2aJefgEx4?= =?us-ascii?Q?H7ryhyFQKKBIpXKMYwI2GZl2vDWCfKpjvRCKz7n+P70La2G5ChP/PwAxPJaM?= =?us-ascii?Q?Itqc7BzaGePMrcGSorVA/BC5D1Cnn46C4bz1KjUaBcFY/ghzVr+zk4b9stCT?= =?us-ascii?Q?D66RnGn57AG7uMp4BU/b4f40BO3JYN3rsqU9XI+QsPDeW+k+PZaGJiX/t9If?= =?us-ascii?Q?IYewUkfNsnrOgyyRMLB8+Bx2fpEWcKo9WMUdwZMxR9JgKPjh/n/SNE2STcJl?= =?us-ascii?Q?9ykv6+VSq8EEaZLpWHpTzS6QDiOPgpTjqNevVTjdFaDMKoF45?= X-Microsoft-Antispam-Message-Info: pKfKwySyGjMvtH8SzmXbjYN7Ux89kNCXpYJq07UuKgalVnbyYRvmaQsNFMOohY6PCoERie+9x+T1F1URRLAGmcRjmQ2o3hIv7xVJS240F58GLPqYyzqlBpgSNLt4Kb05PbuX65iBfXxsiyNJ8bh1tNrw8mpwtNEXawfss/pZS7RbPXXJHQy/3bfhgYDt32Lnowo8ZiyxYLPtMR/vO+G4q+7nOs3G3V3CWKGAKQWuxNkGoheuB8z8wk5ebopk2ocC6S9f05mE4g+JBGm2nGOOsrqelW22s3cvxr7NruqBPqJ/6QqOxcY5hRIXPyuE+XVnrNlHPpBhWvHFky3HIsOi5MMPSOwntTtykjnIgrJznTK+tNlYgjW7D/jgjysZk/6TAgCV6izcUyZsbeWHuyoL0g== X-Microsoft-Exchange-Diagnostics: 1; BN3PR0501MB1250; 6:Fj0cTFXncSGSrmfWmwY3m/7paE+jQnqhyqgE7n4y58l2OpR7FutJBhJD5pvPDdCNXg2dL8LCVzq1Nb8Gdm5+95ZFcYkAgyPeCYrlPG4kjcMZibaow/cCWk6wuXISmvxdYy7Bx9T+7bkzzWSINLyD8pTisdV+0Rp0bwL/i3m+RAVYsy04dic8h5CtjfovuSVj8D7R1j/M/uFSuNjfHMJMHhLMypixQBuJMT3wdVstWkHRHYrkGz6bwbSa9CeUb2bm+SW5rpGNNbdIpnYEwFt2uV7WoYa4BXEDUEzT8zE+ICKX1u+ggjP0EZk6oD7ywKG617KdNJruJ3hhenG7+7C5OHG4UKRmyYreKw1Wl8riI+LSc6S5R57HkFkK063hZwbEsbYaYUhWos6e4lKyv2PwtABVffI7MsZIsynjYriEcWkfxfZzrr2ElMUUMMmCL6ULGaZSG8FfHvbVb05PwBTx5g==; 5:Y1x5Im7ZdG3noVIvR3ELmCx23M0E0q16wr6OiEFEwe4Datj04Fze0bfWcJj4fzjGNe5cYnkevfJtbhYqS4fhOm2TXsi1rqUi5QcJsAZUbIOoX4e1DuP0WxvKcTpaXgTH4a5+4wOMUOhGalMqMVJbaGvdujBzyQPqzWDGgcM7eFw=; 7:pJ9Zt6PZ/OcXNxAsVtMhIpWVT+SVwdylKfEGu5PvBJ97LHq4rPb1YVHBEqhU16FtTKcHtqqsA3gFLOfCg41E8s37sHJHf5/KFOtORFx3YjCyBGWRlEQLr940L8DNcTPDyeEFSRf4KGC12bEHRVG8aHnYOsGWYq0QDJDdgM5qs/ouducB/Vvmr2DWG32kEsQAXhizQaXrsLkZDOOVX6FVTnuOCTVbuGIRfzCn7ypBDxty639Rvunl2UzWuEc9gmur SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-OriginatorOrg: juniper.net X-MS-Exchange-CrossTenant-OriginalArrivalTime: 18 Jul 2018 20:22:16.3750 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 196d8474-487b-4264-8b60-08d5ecec27a0 X-MS-Exchange-CrossTenant-Id: bea78b3c-4cdb-4130-854a-1d193232e5f4 X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=bea78b3c-4cdb-4130-854a-1d193232e5f4; Ip=[66.129.242.12]; Helo=[P-EXFEND-EQX-01.jnpr.net] X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN3PR0501MB1250 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-07-18_06:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=369 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1806210000 definitions=main-1807180220 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Jul 2018 20:22:25 -0000 > - and/or change listening port of sshd Yes, I used to get lots of probes to sshd from china etc, some years ago, moved inbound to a high numbered port... no more noise. From owner-freebsd-security@freebsd.org Wed Jul 18 20:25:45 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 638881031C0B for ; Wed, 18 Jul 2018 20:25:45 +0000 (UTC) (envelope-from list1@gjunka.com) Received: from msa1.earth.yoonka.com (yoonka.com [88.98.225.149]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "msa1.earth.yoonka.com", Issuer "msa1.earth.yoonka.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id E80438B858 for ; Wed, 18 Jul 2018 20:25:44 +0000 (UTC) (envelope-from list1@gjunka.com) Received: from ultrabook.yoonka.com (x2f7fcfa.dyn.telefonica.de [2.247.252.250]) (authenticated bits=0) by msa1.earth.yoonka.com (8.15.2/8.15.2) with ESMTPSA id w6IKPgXn039341 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Wed, 18 Jul 2018 20:25:43 GMT (envelope-from list1@gjunka.com) X-Authentication-Warning: msa1.earth.yoonka.com: Host x2f7fcfa.dyn.telefonica.de [2.247.252.250] claimed to be ultrabook.yoonka.com Subject: Re: Possible break-in attempt? To: Patrick Proniewski Cc: freebsd-security@freebsd.org References: <594ba84b-0691-8471-4bd4-076d0ae3da98@gjunka.com> <368EABCF-A10A-49E9-9473-7753F6BEAA50@patpro.net> From: Grzegorz Junka Message-ID: Date: Wed, 18 Jul 2018 20:25:37 +0000 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0 MIME-Version: 1.0 In-Reply-To: <368EABCF-A10A-49E9-9473-7753F6BEAA50@patpro.net> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-GB-large X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Jul 2018 20:25:45 -0000 Thank you Patrick. I don't receive that many of them. Maybe a dozen or so since I've set up my server, which was a few years ago. Mostly with the same IP but sometimes different IP as well. And all those I've received so far were in the last few months. They surprise me because on the firewall the sshd is forwarded from a non-standard port (i.e. port 22 isn't open). I am interested what security precaution FreeBSD is trying to do here. Is the sshd server receiving an ssh login request from an IP, that can't be resolved back to a domain in the reverse DNS (PTR) record for that IP? On 18/07/2018 20:13, Patrick Proniewski wrote: > Hi, > > You can ignore them totally (you should), and if you can't, make sure you limit possibility of brute force attack on your sshd: > - configure a firewall to stop them > - and/or activate blacklistd on sshd > - and/or change listening port of sshd > > I get thousands of these every day, won't kill you and not worth losing your time. > >> On 18 juil. 2018, at 22:07, Grzegorz Junka wrote: >> >> Sometimes I am receiving messages like this from my server: >> >> nas.myserver.mydomain.com login failures: >> Jul 17 08:35:02 nas sshd[5994]: reverse mapping checking getaddrinfo for 162.132-254-62.static.virginmediabusiness.co.uk [62.254.132.162] failed - POSSIBLE BREAK-IN ATTEMPT! >> >> On different days they are from different IPs and they would-be mapped to different reverse dns names. How to deal with those messages/attempts? >> >> GrzegorzJ >> >> _______________________________________________ >> freebsd-security@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-security >> To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > From owner-freebsd-security@freebsd.org Wed Jul 18 20:47:43 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3E1061032D46 for ; Wed, 18 Jul 2018 20:47:43 +0000 (UTC) (envelope-from dim@FreeBSD.org) Received: from tensor.andric.com (tensor.andric.com [87.251.56.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "tensor.andric.com", Issuer "COMODO RSA Domain Validation Secure Server CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id B6A978C7C2 for ; Wed, 18 Jul 2018 20:47:42 +0000 (UTC) (envelope-from dim@FreeBSD.org) Received: from coleburn.home.andric.com (coleburn.home.andric.com [192.168.0.15]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by tensor.andric.com (Postfix) with ESMTPSA id 1A2054266; Wed, 18 Jul 2018 22:47:34 +0200 (CEST) From: Dimitry Andric Message-Id: <8EDDBDB2-77F5-4CF5-8744-41BEA187C08A@FreeBSD.org> Content-Type: multipart/signed; boundary="Apple-Mail=_46BCC157-8B75-4943-9877-BB5F9280EF1E"; protocol="application/pgp-signature"; micalg=pgp-sha1 Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\)) Subject: Re: Possible break-in attempt? Date: Wed, 18 Jul 2018 22:47:30 +0200 In-Reply-To: Cc: Patrick Proniewski , freebsd-security@freebsd.org To: Grzegorz Junka References: <594ba84b-0691-8471-4bd4-076d0ae3da98@gjunka.com> <368EABCF-A10A-49E9-9473-7753F6BEAA50@patpro.net> X-Mailer: Apple Mail (2.3445.9.1) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Jul 2018 20:47:43 -0000 --Apple-Mail=_46BCC157-8B75-4943-9877-BB5F9280EF1E Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii On 18 Jul 2018, at 22:25, Grzegorz Junka wrote: >=20 > Thank you Patrick. I don't receive that many of them. Maybe a dozen or = so since I've set up my server, which was a few years ago. Mostly with = the same IP but sometimes different IP as well. And all those I've = received so far were in the last few months. >=20 > They surprise me because on the firewall the sshd is forwarded from a = non-standard port (i.e. port 22 isn't open). >=20 > I am interested what security precaution FreeBSD is trying to do here. = Is the sshd server receiving an ssh login request from an IP, that can't = be resolved back to a domain in the reverse DNS (PTR) record for that = IP? This is not specifically a FreeBSD precaution, but an upstream OpenSSH feature. OpenSSH supports hostname-based matching rules; see the "Match" keyword in sshd_config(5). For each incoming IP address, sshd does a reverse lookup, and if that results in a hostname, it does another lookup of that hostname, to see if *that* result matches the original incoming IP address. If it does not, you get this scary warning in syslog about a "possible break-in attempt!". In my opinion, this is fairly misleading, since almost always the actual cause is badly configured DNS, a very common occurrence. In addition, matching forward and reverse DNS records is no guarantee at all that the incoming IP address is in any way trustworthy. If you don't use hostname-based matching rules, and don't use "from" directives with hostnames in your authorized_keys files, you can disable the DNS lookups (and the warnings too) by setting "UseDNS no" in your sshd_config file. This is usually one of the first settings I change on any server I configure. :) -Dimitry --Apple-Mail=_46BCC157-8B75-4943-9877-BB5F9280EF1E Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.2 iF0EARECAB0WIQR6tGLSzjX8bUI5T82wXqMKLiCWowUCW0+nYgAKCRCwXqMKLiCW o5lyAKCB3DiVBBWWoQ/dbiNjdz+y+1A5RQCfYgATQjdPl23uF5ZANIpuEtdnOQk= =9h/v -----END PGP SIGNATURE----- --Apple-Mail=_46BCC157-8B75-4943-9877-BB5F9280EF1E-- From owner-freebsd-security@freebsd.org Wed Jul 18 20:58:38 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9820D1033348 for ; Wed, 18 Jul 2018 20:58:38 +0000 (UTC) (envelope-from patpro@patpro.net) Received: from rack.patpro.net (rack.patpro.net [193.30.227.216]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "patpro.net", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 234CA8CCF1 for ; Wed, 18 Jul 2018 20:58:38 +0000 (UTC) (envelope-from patpro@patpro.net) Received: from cassandre.patpro.net (boleskine.patpro.net [82.230.142.222]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by rack.patpro.net (Postfix) with ESMTPSA id 5E00F2077; Wed, 18 Jul 2018 22:58:36 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=patpro.net; s=201806-ee6b3be7; t=1531947516; bh=Oj0g9azBg7ukQoTeNMnqEjwGtMDFjGWFPZgUTXyayQY=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=HwkSbkFMzStnYjS/eBaOl4uNRurf/yoMP2MyMDxPeHHK5MLUmIrFshOs+7HrCsqAC wGikhC0NRK7L94uSWbXBfCq4TP9DWuuKma1rXzAh6dtoLkvb31QoTUu6xAy2KiNedT 4VuthiyCAXtVZ4snC98MUc7++ITUIXiyXEDAp7BNm8Op1Ko5XyBwSNL3dJXaQCAt5o zYoaxMIFWFZ1ofFK/uFqt8fraaAp6jVGfIwv8i80bZSwtuLjvJvjiaYoVP1UK39kQf kVKevwHbSQw/LaG5pjVs85HY2AaqE/3Y5cGA5TkN2yUVUecMPZjxKatU1HBER01NqC BAGd7iytBmOrsogM0eQL0IEUhLtIpvv7kMlkKS4wf+G+70C1m5qr0wW8YcxOgKxeqP JDG5qiJ7WhjEWT54x+dAY1KdI0q7RvpIlgyDpgjcoJhGco333l6M62TJxtPtwLGAa3 hcD4qV+Wq1u6kl5eoQJUc5+IKQQUh/Bad3MN6kOB3qGDlklvw3rDh6qj4863yMXwIG NOtWJmfaPzOZ4TFb18oTztcJobo50KoDhPxjLArNHhtoJ9TX41+3/y4NQa7x4FIlBB 3ulFvXBHDXMWv0cvyBMsaierneqrPra+XGMxF7g5BFrOi2UqHE7L81siJxxSj/q1Zi G2KQtsOau6cCWevjjz3xh6YM= Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\)) Subject: Re: Possible break-in attempt? From: Patrick Proniewski In-Reply-To: Date: Wed, 18 Jul 2018 22:58:35 +0200 Cc: freebsd-security@freebsd.org Content-Transfer-Encoding: quoted-printable Message-Id: <4DFA0BF5-1CF0-4100-9743-E011E5097B7E@patpro.net> References: <594ba84b-0691-8471-4bd4-076d0ae3da98@gjunka.com> <368EABCF-A10A-49E9-9473-7753F6BEAA50@patpro.net> To: Grzegorz Junka X-Mailer: Apple Mail (2.3124) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Jul 2018 20:58:38 -0000 On 18 juil. 2018, at 22:25, Grzegorz Junka wrote: >=20 > I am interested what security precaution FreeBSD is trying to do here. = Is the sshd server receiving an ssh login request from an IP, that can't = be resolved back to a domain in the reverse DNS (PTR) record for that = IP? this is quite usual with some ISP: $ host 62.254.132.162 162.132.254.62.in-addr.arpa domain name pointer = 162.132-254-62.static.virginmediabusiness.co.uk. $ host 162.132-254-62.static.virginmediabusiness.co.uk Host 162.132-254-62.static.virginmediabusiness.co.uk not found: = 3(NXDOMAIN) it's not a feature of FreeBSD, it's a feature of OpenSSH.=20 =46rom man sshd_config: UseDNS Specifies whether sshd(8) should look up the remote host = name, and to check that the resolved host name for the remote IP address maps back to the very same IP address. If this option is set to =E2=80=9Cno=E2=80=9D, then only = addresses and not host names may be used in ~/.ssh/known_hosts from and = sshd_config Match Host directives. The default is =E2=80=9Cyes=E2=80=9D.= Patrick= From owner-freebsd-security@freebsd.org Wed Jul 18 21:47:09 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 324361034F47 for ; Wed, 18 Jul 2018 21:47:09 +0000 (UTC) (envelope-from list1@gjunka.com) Received: from msa1.earth.yoonka.com (yoonka.com [88.98.225.149]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "msa1.earth.yoonka.com", Issuer "msa1.earth.yoonka.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id BA3BC8E5C7 for ; Wed, 18 Jul 2018 21:47:08 +0000 (UTC) (envelope-from list1@gjunka.com) Received: from ultrabook.yoonka.com (p5DD75328.dip0.t-ipconnect.de [93.215.83.40]) (authenticated bits=0) by msa1.earth.yoonka.com (8.15.2/8.15.2) with ESMTPSA id w6ILl6jI040487 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO) for ; Wed, 18 Jul 2018 21:47:07 GMT (envelope-from list1@gjunka.com) X-Authentication-Warning: msa1.earth.yoonka.com: Host p5DD75328.dip0.t-ipconnect.de [93.215.83.40] claimed to be ultrabook.yoonka.com Subject: Re: Possible break-in attempt? To: freebsd-security@freebsd.org References: <594ba84b-0691-8471-4bd4-076d0ae3da98@gjunka.com> <368EABCF-A10A-49E9-9473-7753F6BEAA50@patpro.net> <8EDDBDB2-77F5-4CF5-8744-41BEA187C08A@FreeBSD.org> From: Grzegorz Junka Message-ID: Date: Wed, 18 Jul 2018 21:47:01 +0000 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0 MIME-Version: 1.0 In-Reply-To: <8EDDBDB2-77F5-4CF5-8744-41BEA187C08A@FreeBSD.org> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-GB-large X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Jul 2018 21:47:09 -0000 Thank you Patrick, Simon and Dimitry for a quick follow up and the explanation. Is it possible to figure out which parts of the security run output emails are produced by which tools (I assume that each part is a separate check)? Could be useful to know when checking other messages in that email. Is there some kind of email template or script that generates these emails? GrzegorzJ From owner-freebsd-security@freebsd.org Wed Jul 18 23:41:47 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5D2F3103C11E for ; Wed, 18 Jul 2018 23:41:47 +0000 (UTC) (envelope-from jhellenthal@dataix.net) Received: from mail-it0-x234.google.com (mail-it0-x234.google.com [IPv6:2607:f8b0:4001:c0b::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id F060A72FCF for ; Wed, 18 Jul 2018 23:41:46 +0000 (UTC) (envelope-from jhellenthal@dataix.net) Received: by mail-it0-x234.google.com with SMTP id j185-v6so6845827ite.1 for ; Wed, 18 Jul 2018 16:41:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dataix.net; s=net; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=XIp3y3jMBgv40UcYSBHkMc18jkceuTObP1DXSZiDCYs=; b=E+vaAuQxy0eHRWT9EWulTcLf/EReVb0wEz6KHOcUartNgepb5TyAlHyO0xkEAqEKI9 rULLtfQL+Nv+3/FZnmfmusD3ZXfi8xhnK4j4trBtuHADqUAdZ3heQ403B/VkRcP2Hhel FMgmKOT4yuDE6h8YPHiL8A/B44B9G1qjJTVn0= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=XIp3y3jMBgv40UcYSBHkMc18jkceuTObP1DXSZiDCYs=; b=ZtdVrsp6bMzFUiieqN4G30wiKbTZlX6TyVKinybk/t0yfFQdTdJuOs4hFxnz5Vdzym Sckw/ZSa4g4NsykYq8a8XGuYQgzz52frBJbboWfkV5NzvMj73dKRawPzAQqlwhB2TxCP AwvSxRdMdQnNRME40xB99gKLNaAl/KYY9cFLJGKpYu4YZmxOsO5nhPqvUL/3O8+6Xr29 0LrRjLHgbLdk5GDx/By94Gx8G8MHEzxd0Iyw588COVXDUSn7VJwxKPmgss6jbr0EURun 0hphTFrqOIkYa7ncRCVjRcaxACd52Ln5AbpI180fC4xnlkFtoRBoY2D+VVTHTShj22Rv zJ6g== X-Gm-Message-State: AOUpUlGK8meoeHelmGDFA4ZfZOEd3LrjmkF4LHeurLGHG/OR235YWCWD sYxX1z/XjKzygUFd3nRpHODT110nNrY= X-Google-Smtp-Source: AAOMgpdNO1cLeydkg822Af/bwnHrjeWMcdyQuOhlW8yNlZw5OfeZbeyfDH9reE5lBNASUO0bUi/+DQ== X-Received: by 2002:a24:4118:: with SMTP id x24-v6mr3981699ita.71.1531957306014; Wed, 18 Jul 2018 16:41:46 -0700 (PDT) Received: from ?IPv6:2600:1008:b16c:2f78:483b:e2e6:ad5:d772? ([2600:1008:b16c:2f78:483b:e2e6:ad5:d772]) by smtp.gmail.com with ESMTPSA id x67-v6sm2112926ita.11.2018.07.18.16.41.44 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 18 Jul 2018 16:41:44 -0700 (PDT) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (1.0) Subject: Re: Possible break-in attempt? From: Jason Hellenthal X-Mailer: iPhone Mail (15G5077a) In-Reply-To: Date: Wed, 18 Jul 2018 18:41:43 -0500 Cc: freebsd-security@freebsd.org Content-Transfer-Encoding: quoted-printable Message-Id: References: <594ba84b-0691-8471-4bd4-076d0ae3da98@gjunka.com> <368EABCF-A10A-49E9-9473-7753F6BEAA50@patpro.net> <8EDDBDB2-77F5-4CF5-8744-41BEA187C08A@FreeBSD.org> To: Grzegorz Junka X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Jul 2018 23:41:47 -0000 See etc/periodic/... security related scripts. Should get you on a good star= t. --=20 The fact that there's a highway to Hell but only a stairway to Heaven says a= lot about anticipated traffic volume. > On Jul 18, 2018, at 16:47, Grzegorz Junka wrote: >=20 >=20 > Thank you Patrick, Simon and Dimitry for a quick follow up and the explana= tion. >=20 > Is it possible to figure out which parts of the security run output emails= are produced by which tools (I assume that each part is a separate check)? C= ould be useful to know when checking other messages in that email. Is there s= ome kind of email template or script that generates these emails? > GrzegorzJ > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org= " From owner-freebsd-security@freebsd.org Thu Jul 19 07:24:02 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E09AB104DFC6 for ; Thu, 19 Jul 2018 07:24:02 +0000 (UTC) (envelope-from list1@gjunka.com) Received: from msa1.earth.yoonka.com (yoonka.com [88.98.225.149]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "msa1.earth.yoonka.com", Issuer "msa1.earth.yoonka.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 5FC9281BE1 for ; Thu, 19 Jul 2018 07:24:02 +0000 (UTC) (envelope-from list1@gjunka.com) Received: from ultrabook.yoonka.com (x2f7fc17.dyn.telefonica.de [2.247.252.23]) (authenticated bits=0) by msa1.earth.yoonka.com (8.15.2/8.15.2) with ESMTPSA id w6J7NwHf052152 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Thu, 19 Jul 2018 07:23:59 GMT (envelope-from list1@gjunka.com) X-Authentication-Warning: msa1.earth.yoonka.com: Host x2f7fc17.dyn.telefonica.de [2.247.252.23] claimed to be ultrabook.yoonka.com Subject: Re: Possible break-in attempt? To: Jason Hellenthal Cc: freebsd-security@freebsd.org References: <594ba84b-0691-8471-4bd4-076d0ae3da98@gjunka.com> <368EABCF-A10A-49E9-9473-7753F6BEAA50@patpro.net> <8EDDBDB2-77F5-4CF5-8744-41BEA187C08A@FreeBSD.org> From: Grzegorz Junka Message-ID: <260d72c1-4d4d-38d7-6081-7ccbb6689060@gjunka.com> Date: Thu, 19 Jul 2018 07:23:53 +0000 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-GB-large X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Jul 2018 07:24:03 -0000 On 18/07/2018 23:41, Jason Hellenthal wrote: > See etc/periodic/... security related scripts. Should get you on a good start. > Great, thank you Jason! From owner-freebsd-security@freebsd.org Fri Jul 20 19:05:12 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9AC04104F6EF for ; Fri, 20 Jul 2018 19:05:12 +0000 (UTC) (envelope-from jamie@catflap.org) Received: from donotpassgo.dyslexicfish.net (donotpassgo.dyslexicfish.net [IPv6:2001:19f0:300:2185:a:dead:bad:faff]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4786489AAF; Fri, 20 Jul 2018 19:05:11 +0000 (UTC) (envelope-from jamie@catflap.org) Received: from donotpassgo.dyslexicfish.net (donotpassgo.dyslexicfish.net [104.207.135.49]) by donotpassgo.dyslexicfish.net (8.14.5/8.14.5) with ESMTP id w6KJ5A2n079232; Fri, 20 Jul 2018 20:05:10 +0100 (BST) (envelope-from jamie@donotpassgo.dyslexicfish.net) Received: (from jamie@localhost) by donotpassgo.dyslexicfish.net (8.14.5/8.14.5/Submit) id w6KJ59hn079229; Fri, 20 Jul 2018 20:05:09 +0100 (BST) (envelope-from jamie) From: Jamie Landeg-Jones Message-Id: <201807201905.w6KJ59hn079229@donotpassgo.dyslexicfish.net> Date: Fri, 20 Jul 2018 20:05:09 +0100 Organization: Dyslexic Fish To: list1@gjunka.com, dim@freebsd.org Cc: freebsd-security@freebsd.org Subject: Re: Possible break-in attempt? References: <594ba84b-0691-8471-4bd4-076d0ae3da98@gjunka.com> <368EABCF-A10A-49E9-9473-7753F6BEAA50@patpro.net> <8EDDBDB2-77F5-4CF5-8744-41BEA187C08A@FreeBSD.org> In-Reply-To: <8EDDBDB2-77F5-4CF5-8744-41BEA187C08A@FreeBSD.org> User-Agent: Heirloom mailx 12.4 7/29/08 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Jul 2018 19:05:12 -0000 Dimitry Andric wrote: > For each incoming IP address, sshd does a reverse lookup, and if that > results in a hostname, it does another lookup of that hostname, to see > if *that* result matches the original incoming IP address. If it does > not, you get this scary warning in syslog about a "possible break-in > attempt!". > > In my opinion, this is fairly misleading, since almost always the actual > cause is badly configured DNS, a very common occurrence. In addition, > matching forward and reverse DNS records is no guarantee at all that the > incoming IP address is in any way trustworthy. I'm not sure which version this made it into, but they actually removed this over 2 years ago. It's not in the openssh that ships with FreeBSD 11.2: | commit e690fe85750e93fca1fb7c7c8587d4130a4f7aba | Author: dtucker@openbsd.org | Date: Wed Jun 15 00:40:40 2016 +0000 | | upstream commit | | Remove "POSSIBLE BREAK-IN ATTEMPT!" from log message | about forward and reverse DNS not matching. We haven't supported IP-based | auth methods for a very long time so it's now misleading. part of bz#2585, | ok markus@ | | Upstream-ID: 5565ef0ee0599b27f0bd1d3bb1f8a323d8274e29 cheers, Jamie From owner-freebsd-security@freebsd.org Sat Jul 21 11:03:47 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 89F1F1046D19 for ; Sat, 21 Jul 2018 11:03:47 +0000 (UTC) (envelope-from freebsd-list@nuos.org) Received: from cargobay.net (cargobay.net [23.111.168.34]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 2DB54860F0 for ; Sat, 21 Jul 2018 11:03:46 +0000 (UTC) (envelope-from freebsd-list@nuos.org) Received: from [192.168.1.4] (unknown [67.8.153.7]) by jack.ccsys.com (Postfix) with ESMTPSA id E6B402B72 for ; Sat, 21 Jul 2018 11:03:38 +0000 (UTC) From: Chad Jacob Milios Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\)) Subject: Re: Possible break-in attempt? Date: Sat, 21 Jul 2018 07:03:38 -0400 References: <594ba84b-0691-8471-4bd4-076d0ae3da98@gjunka.com> <368EABCF-A10A-49E9-9473-7753F6BEAA50@patpro.net> <8EDDBDB2-77F5-4CF5-8744-41BEA187C08A@FreeBSD.org> <201807201905.w6KJ59hn079229@donotpassgo.dyslexicfish.net> To: freebsd-security@freebsd.org In-Reply-To: <201807201905.w6KJ59hn079229@donotpassgo.dyslexicfish.net> Message-Id: <2E502F45-E6F6-44D7-AE9E-9B8B08C1CEBE@nuos.org> X-Mailer: Apple Mail (2.3445.9.1) Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.27 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Jul 2018 11:03:47 -0000 > On Jul 20, 2018, at 3:05 PM, Jamie Landeg-Jones = wrote: >=20 > Dimitry Andric wrote: >=20 >> For each incoming IP address, sshd does a reverse lookup, and if that >> results in a hostname, it does another lookup of that hostname, to = see >> if *that* result matches the original incoming IP address. If it = does >> not, you get this scary warning in syslog about a "possible break-in >> attempt!". >>=20 >> In my opinion, this is fairly misleading, since almost always the = actual >> cause is badly configured DNS, a very common occurrence. In = addition, >> matching forward and reverse DNS records is no guarantee at all that = the >> incoming IP address is in any way trustworthy. >=20 > I'm not sure which version this made it into, but they actually = removed this > over 2 years ago. It's not in the openssh that ships with FreeBSD = 11.2: >=20 > | commit e690fe85750e93fca1fb7c7c8587d4130a4f7aba > | Author: dtucker@openbsd.org > | Date: Wed Jun 15 00:40:40 2016 +0000 > | > | upstream commit > | > | Remove "POSSIBLE BREAK-IN ATTEMPT!" from log message > | about forward and reverse DNS not matching. We haven't = supported IP-based > | auth methods for a very long time so it's now misleading. part = of bz#2585, > | ok markus@ > | > | Upstream-ID: 5565ef0ee0599b27f0bd1d3bb1f8a323d8274e29 >=20 > cheers, Jamie adding: UseDNS no has the added benefit of avoiding a grueling delay when YOU are the one = behind an IP address with a misconfigured reverse DNS mapping (which is = horribly common on consumer networks). It goes into /etc/ssh/sshd_config = and has been among my initial configuration to every FreeBSD box i=E2=80=99= ve stood up for a decade. openssh-portable (in ports, produced by the paranoid fellows at OpenBSD) = has actually switched to adopt this, UseDNS no, as their default = configuration for, i think its been a couple years now. This is in = addition to dropping the message from their log output if UseDNS yes. There is no point to this foolishly alarming message. Be mindful of the = OTHER ways you must surely have in place to keep your sshd hard against = attack. -CJ= From owner-freebsd-security@freebsd.org Sat Jul 21 11:57:15 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 23CFC10484EF for ; Sat, 21 Jul 2018 11:57:15 +0000 (UTC) (envelope-from list1@gjunka.com) Received: from msa1.earth.yoonka.com (yoonka.com [88.98.225.149]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "msa1.earth.yoonka.com", Issuer "msa1.earth.yoonka.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id B78898732F for ; Sat, 21 Jul 2018 11:57:14 +0000 (UTC) (envelope-from list1@gjunka.com) Received: from ultrabook.yoonka.com (p5DD75328.dip0.t-ipconnect.de [93.215.83.40]) (authenticated bits=0) by msa1.earth.yoonka.com (8.15.2/8.15.2) with ESMTPSA id w6LBvClt003765 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO) for ; Sat, 21 Jul 2018 11:57:13 GMT (envelope-from list1@gjunka.com) X-Authentication-Warning: msa1.earth.yoonka.com: Host p5DD75328.dip0.t-ipconnect.de [93.215.83.40] claimed to be ultrabook.yoonka.com Subject: Re: Possible break-in attempt? To: freebsd-security@freebsd.org References: <594ba84b-0691-8471-4bd4-076d0ae3da98@gjunka.com> <368EABCF-A10A-49E9-9473-7753F6BEAA50@patpro.net> <8EDDBDB2-77F5-4CF5-8744-41BEA187C08A@FreeBSD.org> <201807201905.w6KJ59hn079229@donotpassgo.dyslexicfish.net> <2E502F45-E6F6-44D7-AE9E-9B8B08C1CEBE@nuos.org> From: Grzegorz Junka Message-ID: Date: Sat, 21 Jul 2018 11:57:07 +0000 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0 MIME-Version: 1.0 In-Reply-To: <2E502F45-E6F6-44D7-AE9E-9B8B08C1CEBE@nuos.org> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-GB-large X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Jul 2018 11:57:15 -0000 On 21/07/2018 11:03, Chad Jacob Milios wrote: >> On Jul 20, 2018, at 3:05 PM, Jamie Landeg-Jones wrote: >> >> Dimitry Andric wrote: >> >>> For each incoming IP address, sshd does a reverse lookup, and if that >>> results in a hostname, it does another lookup of that hostname, to see >>> if *that* result matches the original incoming IP address. If it does >>> not, you get this scary warning in syslog about a "possible break-in >>> attempt!". >>> >>> In my opinion, this is fairly misleading, since almost always the actual >>> cause is badly configured DNS, a very common occurrence. In addition, >>> matching forward and reverse DNS records is no guarantee at all that the >>> incoming IP address is in any way trustworthy. >> I'm not sure which version this made it into, but they actually removed this >> over 2 years ago. It's not in the openssh that ships with FreeBSD 11.2: >> >> | commit e690fe85750e93fca1fb7c7c8587d4130a4f7aba >> | Author: dtucker@openbsd.org >> | Date: Wed Jun 15 00:40:40 2016 +0000 >> | >> | upstream commit >> | >> | Remove "POSSIBLE BREAK-IN ATTEMPT!" from log message >> | about forward and reverse DNS not matching. We haven't supported IP-based >> | auth methods for a very long time so it's now misleading. part of bz#2585, >> | ok markus@ >> | >> | Upstream-ID: 5565ef0ee0599b27f0bd1d3bb1f8a323d8274e29 >> >> cheers, Jamie > adding: > > UseDNS no > > has the added benefit of avoiding a grueling delay when YOU are the one behind an IP address with a misconfigured reverse DNS mapping (which is horribly common on consumer networks). It goes into /etc/ssh/sshd_config and has been among my initial configuration to every FreeBSD box i’ve stood up for a decade. > > openssh-portable (in ports, produced by the paranoid fellows at OpenBSD) has actually switched to adopt this, UseDNS no, as their default configuration for, i think its been a couple years now. This is in addition to dropping the message from their log output if UseDNS yes. > > There is no point to this foolishly alarming message. Be mindful of the OTHER ways you must surely have in place to keep your sshd hard against attack. > Good to know. But the documentation says setting to no prevents from using DNS in known_hosts. When I look into my known_hosts I see many dns-only names, e.g. github.com among others. GrzegorzJ From owner-freebsd-security@freebsd.org Sat Jul 21 12:05:40 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5B0D3104905F for ; Sat, 21 Jul 2018 12:05:40 +0000 (UTC) (envelope-from freebsd-list@nuos.org) Received: from cargobay.net (cargobay.net [23.111.168.34]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 096F488372 for ; Sat, 21 Jul 2018 12:05:39 +0000 (UTC) (envelope-from freebsd-list@nuos.org) Received: from [192.168.1.4] (unknown [67.8.153.7]) by jack.ccsys.com (Postfix) with ESMTPSA id BCCAF2B77; Sat, 21 Jul 2018 12:05:37 +0000 (UTC) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\)) Subject: Re: Possible break-in attempt? From: Chad Jacob Milios In-Reply-To: Date: Sat, 21 Jul 2018 08:05:36 -0400 Cc: freebsd-security@freebsd.org Content-Transfer-Encoding: quoted-printable Message-Id: <0DDFA4FB-4FAB-49F0-99E8-9958DB1D889F@nuos.org> References: <594ba84b-0691-8471-4bd4-076d0ae3da98@gjunka.com> <368EABCF-A10A-49E9-9473-7753F6BEAA50@patpro.net> <8EDDBDB2-77F5-4CF5-8744-41BEA187C08A@FreeBSD.org> <201807201905.w6KJ59hn079229@donotpassgo.dyslexicfish.net> <2E502F45-E6F6-44D7-AE9E-9B8B08C1CEBE@nuos.org> To: Grzegorz Junka X-Mailer: Apple Mail (2.3445.9.1) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Jul 2018 12:05:40 -0000 > On Jul 21, 2018, at 7:57 AM, Grzegorz Junka wrote: > On 21/07/2018 11:03, Chad Jacob Milios wrote: >>> On Jul 20, 2018, at 3:05 PM, Jamie Landeg-Jones = wrote: >>>=20 >>> Dimitry Andric wrote: >>>=20 >>>> For each incoming IP address, sshd does a reverse lookup, and if = that >>>> results in a hostname, it does another lookup of that hostname, to = see >>>> if *that* result matches the original incoming IP address. If it = does >>>> not, you get this scary warning in syslog about a "possible = break-in >>>> attempt!". >>>>=20 >>>> In my opinion, this is fairly misleading, since almost always the = actual >>>> cause is badly configured DNS, a very common occurrence. In = addition, >>>> matching forward and reverse DNS records is no guarantee at all = that the >>>> incoming IP address is in any way trustworthy. >>> I'm not sure which version this made it into, but they actually = removed this >>> over 2 years ago. It's not in the openssh that ships with FreeBSD = 11.2: >>>=20 >>> | commit e690fe85750e93fca1fb7c7c8587d4130a4f7aba >>> | Author: dtucker@openbsd.org >>> | Date: Wed Jun 15 00:40:40 2016 +0000 >>> | >>> | upstream commit >>> | >>> | Remove "POSSIBLE BREAK-IN ATTEMPT!" from log message >>> | about forward and reverse DNS not matching. We haven't = supported IP-based >>> | auth methods for a very long time so it's now misleading. = part of bz#2585, >>> | ok markus@ >>> | >>> | Upstream-ID: 5565ef0ee0599b27f0bd1d3bb1f8a323d8274e29 >>>=20 >>> cheers, Jamie >> adding: >>=20 >> UseDNS no >>=20 >> has the added benefit of avoiding a grueling delay when YOU are the = one behind an IP address with a misconfigured reverse DNS mapping (which = is horribly common on consumer networks). It goes into = /etc/ssh/sshd_config and has been among my initial configuration to = every FreeBSD box i=E2=80=99ve stood up for a decade. >>=20 >> openssh-portable (in ports, produced by the paranoid fellows at = OpenBSD) has actually switched to adopt this, UseDNS no, as their = default configuration for, i think its been a couple years now. This is = in addition to dropping the message from their log output if UseDNS yes. >>=20 >> There is no point to this foolishly alarming message. Be mindful of = the OTHER ways you must surely have in place to keep your sshd hard = against attack. >>=20 >=20 > Good to know. But the documentation says setting to no prevents from = using DNS in known_hosts. When I look into my known_hosts I see many = dns-only names, e.g. github.com among others. >=20 > GrzegorzJ In which man page or web page are you seeing this information?= From owner-freebsd-security@freebsd.org Sat Jul 21 19:29:12 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2AA0F102A46C for ; Sat, 21 Jul 2018 19:29:12 +0000 (UTC) (envelope-from list1@gjunka.com) Received: from msa1.earth.yoonka.com (yoonka.com [88.98.225.149]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "msa1.earth.yoonka.com", Issuer "msa1.earth.yoonka.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id B6B3874F8A for ; Sat, 21 Jul 2018 19:29:11 +0000 (UTC) (envelope-from list1@gjunka.com) Received: from ultrabook.yoonka.com (p5DD75328.dip0.t-ipconnect.de [93.215.83.40]) (authenticated bits=0) by msa1.earth.yoonka.com (8.15.2/8.15.2) with ESMTPSA id w6LJT8ft009548 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Sat, 21 Jul 2018 19:29:09 GMT (envelope-from list1@gjunka.com) X-Authentication-Warning: msa1.earth.yoonka.com: Host p5DD75328.dip0.t-ipconnect.de [93.215.83.40] claimed to be ultrabook.yoonka.com Subject: Re: Possible break-in attempt? To: Chad Jacob Milios Cc: freebsd-security@freebsd.org References: <594ba84b-0691-8471-4bd4-076d0ae3da98@gjunka.com> <368EABCF-A10A-49E9-9473-7753F6BEAA50@patpro.net> <8EDDBDB2-77F5-4CF5-8744-41BEA187C08A@FreeBSD.org> <201807201905.w6KJ59hn079229@donotpassgo.dyslexicfish.net> <2E502F45-E6F6-44D7-AE9E-9B8B08C1CEBE@nuos.org> <0DDFA4FB-4FAB-49F0-99E8-9958DB1D889F@nuos.org> From: Grzegorz Junka Message-ID: <91123dcd-529a-1c92-16bf-f9060d3f1fa6@gjunka.com> Date: Sat, 21 Jul 2018 19:29:02 +0000 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0 MIME-Version: 1.0 In-Reply-To: <0DDFA4FB-4FAB-49F0-99E8-9958DB1D889F@nuos.org> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-GB-large X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Jul 2018 19:29:12 -0000 On 21/07/2018 12:05, Chad Jacob Milios wrote: >> On Jul 21, 2018, at 7:57 AM, Grzegorz Junka wrote: >> On 21/07/2018 11:03, Chad Jacob Milios wrote: >>>> On Jul 20, 2018, at 3:05 PM, Jamie Landeg-Jones wrote: >>>> >>>> Dimitry Andric wrote: >>>> >>>>> For each incoming IP address, sshd does a reverse lookup, and if that >>>>> results in a hostname, it does another lookup of that hostname, to see >>>>> if *that* result matches the original incoming IP address. If it does >>>>> not, you get this scary warning in syslog about a "possible break-in >>>>> attempt!". >>>>> >>>>> In my opinion, this is fairly misleading, since almost always the actual >>>>> cause is badly configured DNS, a very common occurrence. In addition, >>>>> matching forward and reverse DNS records is no guarantee at all that the >>>>> incoming IP address is in any way trustworthy. >>>> I'm not sure which version this made it into, but they actually removed this >>>> over 2 years ago. It's not in the openssh that ships with FreeBSD 11.2: >>>> >>>> | commit e690fe85750e93fca1fb7c7c8587d4130a4f7aba >>>> | Author: dtucker@openbsd.org >>>> | Date: Wed Jun 15 00:40:40 2016 +0000 >>>> | >>>> | upstream commit >>>> | >>>> | Remove "POSSIBLE BREAK-IN ATTEMPT!" from log message >>>> | about forward and reverse DNS not matching. We haven't supported IP-based >>>> | auth methods for a very long time so it's now misleading. part of bz#2585, >>>> | ok markus@ >>>> | >>>> | Upstream-ID: 5565ef0ee0599b27f0bd1d3bb1f8a323d8274e29 >>>> >>>> cheers, Jamie >>> adding: >>> >>> UseDNS no >>> >>> has the added benefit of avoiding a grueling delay when YOU are the one behind an IP address with a misconfigured reverse DNS mapping (which is horribly common on consumer networks). It goes into /etc/ssh/sshd_config and has been among my initial configuration to every FreeBSD box i’ve stood up for a decade. >>> >>> openssh-portable (in ports, produced by the paranoid fellows at OpenBSD) has actually switched to adopt this, UseDNS no, as their default configuration for, i think its been a couple years now. This is in addition to dropping the message from their log output if UseDNS yes. >>> >>> There is no point to this foolishly alarming message. Be mindful of the OTHER ways you must surely have in place to keep your sshd hard against attack. >>> >> Good to know. But the documentation says setting to no prevents from using DNS in known_hosts. When I look into my known_hosts I see many dns-only names, e.g. github.com among others. >> >> GrzegorzJ > In which man page or web page are you seeing this information? > man sshd_config      UseDNS  Specifies whether sshd(8) should look up the remote host name,              and to check that the resolved host name for the remote IP              address maps back to the very same IP address.              If this option is set to “no”, then only addresses and not host              names may be used in ~/.ssh/known_hosts from and sshd_config              Match Host directives.  The default is “yes”. From owner-freebsd-security@freebsd.org Sat Jul 21 19:59:41 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B30BC102AE0F for ; Sat, 21 Jul 2018 19:59:41 +0000 (UTC) (envelope-from SRS0=IaDc=KF=quip.cz=000.fbsd@elsa.codelab.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 3FEBA75B5A for ; Sat, 21 Jul 2018 19:59:40 +0000 (UTC) (envelope-from SRS0=IaDc=KF=quip.cz=000.fbsd@elsa.codelab.cz) Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id 26DCE28462; Sat, 21 Jul 2018 21:59:33 +0200 (CEST) Received: from illbsd.quip.test (ip-86-49-16-209.net.upcbroadband.cz [86.49.16.209]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id 8974228459; Sat, 21 Jul 2018 21:59:26 +0200 (CEST) Subject: Re: Possible break-in attempt? To: Grzegorz Junka , Chad Jacob Milios Cc: freebsd-security@freebsd.org References: <594ba84b-0691-8471-4bd4-076d0ae3da98@gjunka.com> <368EABCF-A10A-49E9-9473-7753F6BEAA50@patpro.net> <8EDDBDB2-77F5-4CF5-8744-41BEA187C08A@FreeBSD.org> <201807201905.w6KJ59hn079229@donotpassgo.dyslexicfish.net> <2E502F45-E6F6-44D7-AE9E-9B8B08C1CEBE@nuos.org> <0DDFA4FB-4FAB-49F0-99E8-9958DB1D889F@nuos.org> <91123dcd-529a-1c92-16bf-f9060d3f1fa6@gjunka.com> From: Miroslav Lachman <000.fbsd@quip.cz> Message-ID: <3dcdf0e7-a17f-7b98-cdea-06cce1875d74@quip.cz> Date: Sat, 21 Jul 2018 21:59:26 +0200 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Firefox/52.0 SeaMonkey/2.49.3 MIME-Version: 1.0 In-Reply-To: <91123dcd-529a-1c92-16bf-f9060d3f1fa6@gjunka.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Jul 2018 19:59:41 -0000 Grzegorz Junka wrote on 2018/07/21 21:29: [...] >>>> There is no point to this foolishly alarming message. Be mindful of >>>> the OTHER ways you must surely have in place to keep your sshd hard >>>> against attack. >>>> >>> Good to know. But the documentation says setting to no prevents from >>> using DNS in known_hosts. When I look into my known_hosts I see many >>> dns-only names, e.g. github.com among others. >>> >>> GrzegorzJ >> In which man page or web page are you seeing this information? > > > man sshd_config > >      UseDNS  Specifies whether sshd(8) should look up the remote host > name, >              and to check that the resolved host name for the remote IP >              address maps back to the very same IP address. > >              If this option is set to “no”, then only addresses and not > host >              names may be used in ~/.ssh/known_hosts from and sshd_config >              Match Host directives.  The default is “yes”. What version of FreeBSD do you have? On FreeBSD 10.4 there is UseDNS Specifies whether sshd(8) should look up the remote host name, and to check that the resolved host name for the remote IP address maps back to the very same IP address. If this option is set to “no”, then only addresses and not host names may be used in ~/.ssh/authorized_keys from and sshd_config Match Host directives. The default is “yes”. And I don't think sshd_config should have any impact on client configuration (known_hosts). It is controlled by ssh_config. Miroslav Lachman From owner-freebsd-security@freebsd.org Sat Jul 21 20:30:44 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 67A67102BA24 for ; Sat, 21 Jul 2018 20:30:44 +0000 (UTC) (envelope-from dim@FreeBSD.org) Received: from tensor.andric.com (tensor.andric.com [87.251.56.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "tensor.andric.com", Issuer "COMODO RSA Domain Validation Secure Server CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id C8CD876AA5 for ; Sat, 21 Jul 2018 20:30:43 +0000 (UTC) (envelope-from dim@FreeBSD.org) Received: from coleburn.home.andric.com (coleburn.home.andric.com [192.168.0.15]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by tensor.andric.com (Postfix) with ESMTPSA id 5638E3E8C5; Sat, 21 Jul 2018 22:30:36 +0200 (CEST) From: Dimitry Andric Message-Id: <1EBE0612-CDB0-452D-ABB0-BFF133B1CBE0@FreeBSD.org> Content-Type: multipart/signed; boundary="Apple-Mail=_9BB5C12B-EDAA-42E1-BA92-1CC0ED28FFD8"; protocol="application/pgp-signature"; micalg=pgp-sha1 Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\)) Subject: Re: Possible break-in attempt? Date: Sat, 21 Jul 2018 22:30:28 +0200 In-Reply-To: <91123dcd-529a-1c92-16bf-f9060d3f1fa6@gjunka.com> Cc: Chad Jacob Milios , freebsd-security@freebsd.org, Damien Miller To: Grzegorz Junka References: <594ba84b-0691-8471-4bd4-076d0ae3da98@gjunka.com> <368EABCF-A10A-49E9-9473-7753F6BEAA50@patpro.net> <8EDDBDB2-77F5-4CF5-8744-41BEA187C08A@FreeBSD.org> <201807201905.w6KJ59hn079229@donotpassgo.dyslexicfish.net> <2E502F45-E6F6-44D7-AE9E-9B8B08C1CEBE@nuos.org> <0DDFA4FB-4FAB-49F0-99E8-9958DB1D889F@nuos.org> <91123dcd-529a-1c92-16bf-f9060d3f1fa6@gjunka.com> X-Mailer: Apple Mail (2.3445.9.1) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Jul 2018 20:30:44 -0000 --Apple-Mail=_9BB5C12B-EDAA-42E1-BA92-1CC0ED28FFD8 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 On 21 Jul 2018, at 21:29, Grzegorz Junka wrote: >=20 > On 21/07/2018 12:05, Chad Jacob Milios wrote: >>> On Jul 21, 2018, at 7:57 AM, Grzegorz Junka = wrote: >>> On 21/07/2018 11:03, Chad Jacob Milios wrote: >>>>> On Jul 20, 2018, at 3:05 PM, Jamie Landeg-Jones = wrote: ... >>>> openssh-portable (in ports, produced by the paranoid fellows at = OpenBSD) has actually switched to adopt this, UseDNS no, as their = default configuration for, i think its been a couple years now. This is = in addition to dropping the message from their log output if UseDNS yes. >>>>=20 >>>> There is no point to this foolishly alarming message. Be mindful of = the OTHER ways you must surely have in place to keep your sshd hard = against attack. >>>>=20 >>> Good to know. But the documentation says setting to no prevents from = using DNS in known_hosts. When I look into my known_hosts I see many = dns-only names, e.g. github.com among others. >>>=20 >>> GrzegorzJ >> In which man page or web page are you seeing this information? >=20 > > man sshd_config >=20 > UseDNS Specifies whether sshd(8) should look up the remote host = name, > and to check that the resolved host name for the remote = IP > address maps back to the very same IP address. >=20 > If this option is set to =E2=80=9Cno=E2=80=9D, then only = addresses and not host > names may be used in ~/.ssh/known_hosts from and = sshd_config > Match Host directives. The default is =E2=80=9Cyes=E2=80=9D= . Interestingly, this documentation is an outdated version, and wrong. :) It was reported upstream: https://bugzilla.mindrot.org/show_bug.cgi?id=3D2554 and fixed here: = https://github.com/openssh/openssh-portable/commit/0235a5fa67fcac51adb564c= ba69011a535f86f6b The documentation is now: UseDNS Specifies whether sshd(8) should look up the remote host = name, and to check that the resolved host name for the remote IP address maps back to the very same IP address. If this option is set to no, then only addresses and not = host names may be used in ~/.ssh/authorized_keys from and = sshd_config Match Host directives. The default is "yes". E.g., it affects only authorized_keys files, but I'm not sure if there is such a thing as a "from" directive in those (and neither could I find any documentation about "from" directives in known_hosts files either). -Dimitry --Apple-Mail=_9BB5C12B-EDAA-42E1-BA92-1CC0ED28FFD8 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.2 iF0EARECAB0WIQR6tGLSzjX8bUI5T82wXqMKLiCWowUCW1OX5AAKCRCwXqMKLiCW o3S0AKDEIfVmqFWMLOZv20e+X5c0zFH44gCg480TyUT4EWBcFbRayzSvJfzOKM0= =m7bj -----END PGP SIGNATURE----- --Apple-Mail=_9BB5C12B-EDAA-42E1-BA92-1CC0ED28FFD8-- From owner-freebsd-security@freebsd.org Sat Jul 21 20:46:18 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D1E62102C409 for ; Sat, 21 Jul 2018 20:46:18 +0000 (UTC) (envelope-from list1@gjunka.com) Received: from msa1.earth.yoonka.com (yoonka.com [88.98.225.149]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "msa1.earth.yoonka.com", Issuer "msa1.earth.yoonka.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 5D02877470 for ; Sat, 21 Jul 2018 20:46:18 +0000 (UTC) (envelope-from list1@gjunka.com) Received: from ultrabook.yoonka.com (p5DD75328.dip0.t-ipconnect.de [93.215.83.40]) (authenticated bits=0) by msa1.earth.yoonka.com (8.15.2/8.15.2) with ESMTPSA id w6LKkA0F010674 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO) for ; Sat, 21 Jul 2018 20:46:10 GMT (envelope-from list1@gjunka.com) X-Authentication-Warning: msa1.earth.yoonka.com: Host p5DD75328.dip0.t-ipconnect.de [93.215.83.40] claimed to be ultrabook.yoonka.com Subject: Re: Possible break-in attempt? To: freebsd-security@freebsd.org References: <594ba84b-0691-8471-4bd4-076d0ae3da98@gjunka.com> <368EABCF-A10A-49E9-9473-7753F6BEAA50@patpro.net> <8EDDBDB2-77F5-4CF5-8744-41BEA187C08A@FreeBSD.org> <201807201905.w6KJ59hn079229@donotpassgo.dyslexicfish.net> <2E502F45-E6F6-44D7-AE9E-9B8B08C1CEBE@nuos.org> <0DDFA4FB-4FAB-49F0-99E8-9958DB1D889F@nuos.org> <91123dcd-529a-1c92-16bf-f9060d3f1fa6@gjunka.com> <3dcdf0e7-a17f-7b98-cdea-06cce1875d74@quip.cz> From: Grzegorz Junka Message-ID: <79df6b59-c36a-b417-8fe8-2717d0b333a2@gjunka.com> Date: Sat, 21 Jul 2018 20:46:05 +0000 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0 MIME-Version: 1.0 In-Reply-To: <3dcdf0e7-a17f-7b98-cdea-06cce1875d74@quip.cz> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-GB-large X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Jul 2018 20:46:19 -0000 On 21/07/2018 19:59, Miroslav Lachman wrote: > Grzegorz Junka wrote on 2018/07/21 21:29: > > [...] > >>>>> There is no point to this foolishly alarming message. Be mindful >>>>> of the OTHER ways you must surely have in place to keep your sshd >>>>> hard against attack. >>>>> >>>> Good to know. But the documentation says setting to no prevents >>>> from using DNS in known_hosts. When I look into my known_hosts I >>>> see many dns-only names, e.g. github.com among others. >>>> >>>> GrzegorzJ >>> In which man page or web page are you seeing this information? >> >>  > man sshd_config >> >>       UseDNS  Specifies whether sshd(8) should look up the remote >> host name, >>               and to check that the resolved host name for the remote IP >>               address maps back to the very same IP address. >> >>               If this option is set to “no”, then only addresses and >> not host >>               names may be used in ~/.ssh/known_hosts from and >> sshd_config >>               Match Host directives.  The default is “yes”. > > What version of FreeBSD do you have? > On FreeBSD 10.4 there is > > UseDNS  Specifies whether sshd(8) should look up the remote host name, >     and to check that the resolved host name for the remote IP >     address maps back to the very same IP address. > >     If this option is set to “no”, then only addresses and not host >     names may be used in ~/.ssh/authorized_keys from and sshd_config >     Match Host directives.  The default is “yes”. > > And I don't think sshd_config should have any impact on client > configuration (known_hosts). It is controlled by ssh_config. It's from 11.1-RELEASE-p1. I would hope that 11.1p1 is more correct than 10.4? From owner-freebsd-security@freebsd.org Sat Jul 21 22:45:20 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B143B102EDE8 for ; Sat, 21 Jul 2018 22:45:20 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (gate2.funkthat.com [208.87.223.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "gate2.funkthat.com", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 2C4457AE4D; Sat, 21 Jul 2018 22:45:19 +0000 (UTC) (envelope-from jmg@gold.funkthat.com) Received: from gold.funkthat.com (localhost [127.0.0.1]) by gold.funkthat.com (8.15.2/8.15.2) with ESMTPS id w6LMjC88061220 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Sat, 21 Jul 2018 15:45:12 -0700 (PDT) (envelope-from jmg@gold.funkthat.com) Received: (from jmg@localhost) by gold.funkthat.com (8.15.2/8.15.2/Submit) id w6LMjABf061218; Sat, 21 Jul 2018 15:45:10 -0700 (PDT) (envelope-from jmg) Date: Sat, 21 Jul 2018 15:45:10 -0700 From: John-Mark Gurney To: Dimitry Andric Cc: Grzegorz Junka , freebsd-security@freebsd.org, Chad Jacob Milios , Damien Miller Subject: Re: Possible break-in attempt? Message-ID: <20180721224510.GQ2884@funkthat.com> Mail-Followup-To: Dimitry Andric , Grzegorz Junka , freebsd-security@freebsd.org, Chad Jacob Milios , Damien Miller References: <594ba84b-0691-8471-4bd4-076d0ae3da98@gjunka.com> <368EABCF-A10A-49E9-9473-7753F6BEAA50@patpro.net> <8EDDBDB2-77F5-4CF5-8744-41BEA187C08A@FreeBSD.org> <201807201905.w6KJ59hn079229@donotpassgo.dyslexicfish.net> <2E502F45-E6F6-44D7-AE9E-9B8B08C1CEBE@nuos.org> <0DDFA4FB-4FAB-49F0-99E8-9958DB1D889F@nuos.org> <91123dcd-529a-1c92-16bf-f9060d3f1fa6@gjunka.com> <1EBE0612-CDB0-452D-ABB0-BFF133B1CBE0@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1EBE0612-CDB0-452D-ABB0-BFF133B1CBE0@FreeBSD.org> X-Operating-System: FreeBSD 11.0-RELEASE-p7 amd64 X-PGP-Fingerprint: D87A 235F FB71 1F3F 55B7 ED9B D5FF 5A51 C0AC 3D65 X-Files: The truth is out there X-URL: https://www.funkthat.com/ X-Resume: https://www.funkthat.com/~jmg/resume.html X-TipJar: bitcoin:13Qmb6AeTgQecazTWph4XasEsP7nGRbAPE X-to-the-FBI-CIA-and-NSA: HI! HOW YA DOIN? can i haz chizburger? User-Agent: Mutt/1.6.1 (2016-04-27) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (gold.funkthat.com [127.0.0.1]); Sat, 21 Jul 2018 15:45:12 -0700 (PDT) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Jul 2018 22:45:21 -0000 Dimitry Andric wrote this message on Sat, Jul 21, 2018 at 22:30 +0200: > On 21 Jul 2018, at 21:29, Grzegorz Junka wrote: > > > > On 21/07/2018 12:05, Chad Jacob Milios wrote: > >>> On Jul 21, 2018, at 7:57 AM, Grzegorz Junka wrote: > >>> On 21/07/2018 11:03, Chad Jacob Milios wrote: > >>>>> On Jul 20, 2018, at 3:05 PM, Jamie Landeg-Jones wrote: > ... > >>>> openssh-portable (in ports, produced by the paranoid fellows at OpenBSD) has actually switched to adopt this, UseDNS no, as their default configuration for, i think its been a couple years now. This is in addition to dropping the message from their log output if UseDNS yes. > >>>> > >>>> There is no point to this foolishly alarming message. Be mindful of the OTHER ways you must surely have in place to keep your sshd hard against attack. > >>>> > >>> Good to know. But the documentation says setting to no prevents from using DNS in known_hosts. When I look into my known_hosts I see many dns-only names, e.g. github.com among others. > >>> > >>> GrzegorzJ > >> In which man page or web page are you seeing this information? > > > > > man sshd_config > > > > UseDNS Specifies whether sshd(8) should look up the remote host name, > > and to check that the resolved host name for the remote IP > > address maps back to the very same IP address. > > > > If this option is set to ???no???, then only addresses and not host > > names may be used in ~/.ssh/known_hosts from and sshd_config > > Match Host directives. The default is ???yes???. > > Interestingly, this documentation is an outdated version, and wrong. :) > It was reported upstream: > > https://bugzilla.mindrot.org/show_bug.cgi?id=2554 > > and fixed here: > > https://github.com/openssh/openssh-portable/commit/0235a5fa67fcac51adb564cba69011a535f86f6b > > The documentation is now: > > UseDNS Specifies whether sshd(8) should look up the remote host name, > and to check that the resolved host name for the remote IP > address maps back to the very same IP address. > > If this option is set to no, then only addresses and not host > names may be used in ~/.ssh/authorized_keys from and sshd_config > Match Host directives. The default is "yes". > > E.g., it affects only authorized_keys files, but I'm not sure if there > is such a thing as a "from" directive in those (and neither could I find > any documentation about "from" directives in known_hosts files either). Yes, there is. From ssh_config(5): A pattern-list is a comma-separated list of patterns. Patterns within pattern-lists may be negated by preceding them with an exclamation mark (`!'). For example, to allow a key to be used from anywhere within an organization except from the ``dialup'' pool, the following entry (in authorized_keys) could be used: from="!*.dialup.example.com,*.example.com" and from sshd(8): from="pattern-list" Specifies that in addition to public key authentication, either the canonical name of the remote host or its IP address must be present in the comma-separated list of patterns. See PATTERNS in ssh_config(5) for more information on patterns. In addition to the wildcard matching that may be applied to hostnames or addresses, a from stanza may match IP addresses using CIDR address/masklen notation. The purpose of this option is to optionally increase security: public key authentication by itself does not trust the network or name servers or anything (but the key); however, if somebody somehow steals the key, the key permits an intruder to log in from anywhere in the world. This additional option makes using a stolen key more difficult (name servers and/or routers would have to be compromised in addition to just the key). sshd(8) also has the other restrictions that you can put on keys in the authorized_keys file. -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not."