From owner-freebsd-questions@FreeBSD.ORG Wed Jan 11 17:49:02 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F414F16A41F for ; Wed, 11 Jan 2006 17:49:01 +0000 (GMT) (envelope-from kdk@daleco.biz) Received: from ezekiel.daleco.biz (southernuniform.com [66.76.92.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9358243D62 for ; Wed, 11 Jan 2006 17:48:57 +0000 (GMT) (envelope-from kdk@daleco.biz) Received: from [192.168.2.2] ([69.27.149.254]) by ezekiel.daleco.biz (8.13.1/8.13.1) with ESMTP id k0BHlbEc078925; Wed, 11 Jan 2006 11:48:07 -0600 (CST) (envelope-from kdk@daleco.biz) Message-ID: <43C544B3.2040101@daleco.biz> Date: Wed, 11 Jan 2006 11:47:31 -0600 From: Kevin Kinsey User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.12) Gecko/20051026 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Imran Imtiaz References: <200601111627.k0BGRsQK092200@darkstar.thelakecity.com.pk> In-Reply-To: <200601111627.k0BGRsQK092200@darkstar.thelakecity.com.pk> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org Subject: Re: is it an attack? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Jan 2006 17:49:02 -0000 Imran Imtiaz wrote: >I got the following messages is it really an attack attempt > >Jan 10 23:23:22 darkstar sshd[58484]: reverse mapping checking getaddrinfo >for 58.25-183.uio.satnet.net failed - POSSIBLE BREAKIN ATTEMPT! > > Might as well treat it like one. If you're in Pakistan, who in Ecuador should be ssh'ing to your computer? Of course, that's the problem ... maybe they aren't really in Ecuador.... Although /etc/hosts.allow recommends against it, I find it fairly useful to place tcpwrappers on sshd. At the very least, I can block overseas connections to a large extent. If I want an even more secure login, I restrict ssh logins to a specific host and "daisy chain" through a less-restrictively configured machine. You should also be tough with configuration (/etc/ssh/sshd_config) and consider using key-based authentication instead of passwords/ keyboard-interactive. HTH, Kevin Kinsey -- The two things that can get you into trouble quicker than anything else are fast women and slow horses.