From owner-freebsd-security  Sun Jun  2 11:34:17 2002
Delivered-To: freebsd-security@freebsd.org
Received: from rwcrmhc51.attbi.com (rwcrmhc51.attbi.com [204.127.198.38])
	by hub.freebsd.org (Postfix) with ESMTP id E43FA37B406
	for <security@FreeBSD.ORG>; Sun,  2 Jun 2002 11:34:10 -0700 (PDT)
Received: from blossom.cjclark.org ([12.234.91.48]) by rwcrmhc51.attbi.com
          (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP
          id <20020602183410.DILF11426.rwcrmhc51.attbi.com@blossom.cjclark.org>;
          Sun, 2 Jun 2002 18:34:10 +0000
Received: (from cjc@localhost)
	by blossom.cjclark.org (8.11.6/8.11.6) id g52IYA833195;
	Sun, 2 Jun 2002 11:34:10 -0700 (PDT)
	(envelope-from crist.clark@attbi.com)
X-Authentication-Warning: blossom.cjclark.org: cjc set sender to crist.clark@attbi.com using -f
Date: Sun, 2 Jun 2002 11:34:09 -0700
From: "Crist J. Clark" <crist.clark@attbi.com>
To: Drew Tomlinson <drew@mykitchentable.net>
Cc: security@FreeBSD.ORG
Subject: Re: Security Messages re: hosts.allow?
Message-ID: <20020602113409.F20911@blossom.cjclark.org>
Reply-To: "Crist J. Clark" <cjc@FreeBSD.ORG>
References: <007e01c20a47$7fabb370$1b01a8c0@TAGALONG>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <007e01c20a47$7fabb370$1b01a8c0@TAGALONG>; from drew@mykitchentable.net on Sun, Jun 02, 2002 at 08:09:31AM -0700
X-URL: http://people.freebsd.org/~cjc/
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Sun, Jun 02, 2002 at 08:09:31AM -0700, Drew Tomlinson wrote:
> I found the following in my daily security email:
> 
> blacklamb.mykitchentable.net kernel log messages:
> > Jun  1 01:33:15 blacklamb sshd[30021]: warning: /etc/hosts.allow,
> line 23: host name/address mismatch: 210.59.224.42 !=
> server1.camelweb.com.tw
> > Jun  1 01:33:15 blacklamb sshd[30022]: warning: /etc/hosts.allow,
> line 23: host name/address mismatch: 210.59.224.42 !=
> server1.camelweb.com.tw
> 
> I checked my hosts.allow file and line 23 is the default:
> 
> ALL : ALL : allow
> 
> I have not changed hosts.allow from the default.  What do the above
> messages mean and what should I do about them (if anything)?

It means that site has some pretty wacked out DNS entries for those
entities,

  server1.camelweb.com.tw.  23h59m43s IN CNAME  dns.camelweb.com.tw.
  server1.camelweb.com.tw.  23h59m43s IN A  210.59.224.44
  dns.camelweb.com.tw.    22h47m42s IN A  210.59.224.42

  42.224.59.210.in-addr.arpa.  9h1m47s IN PTR  server1.camelweb.com.tw.

But from the looks of it, these DNS entries themselves do not look
malicious.
-- 
Crist J. Clark                     |     cjclark@alum.mit.edu
                                   |     cjclark@jhu.edu
http://people.freebsd.org/~cjc/    |     cjc@freebsd.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message