Date: Wed, 2 Jul 2008 13:50:31 GMT From: Richard Clayton <richard@highwayman.com> To: freebsd-gnats-submit@FreeBSD.org Subject: gnu/125184: sshd does not always log IP address for login failures Message-ID: <200807021350.m62DoVeJ005162@www.freebsd.org> Resent-Message-ID: <200807021400.m62E0BtZ048631@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 125184 >Category: gnu >Synopsis: sshd does not always log IP address for login failures >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Wed Jul 02 14:00:11 UTC 2008 >Closed-Date: >Last-Modified: >Originator: Richard Clayton >Release: 7.0-STABLE >Organization: University of Cambridge >Environment: FreeBSD happyday.demon.co.uk 7.0-STABLE FreeBSD 7.0-STABLE #20: Thu Apr 17 23:45:32 BST 2008 rnc1@happyday.demon.co.uk:/usr/obj/usr/src/sys/HAPPYDAY i386 >Description: When login failures occur (usually attacks by password guessers), and there is reverse DNS for the remote machine, then the reverse DNS value is recorded... .. however, since the reverse DNS is not reliable (it may be controlled by the attacker, or may just be inaccurate) it is important to also log the actual IP address that was used, since only this can be used to ensure that reports of wickedness are sent to the correct place. It would also be nice :) to guarantee a fixed format for locating the IP address in all relevant error messages; since that will permit automating of abuse reports. >How-To-Repeat: #1 Place machine onto Internet #2 wait (not very long) #3 examine daily security email... If waiting undesirable, access machine via ssh from machine at an IP address that has some reverse DNS set up. >Fix: >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200807021350.m62DoVeJ005162>