From owner-freebsd-security@freebsd.org Wed Jul 18 20:47:43 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3E1061032D46 for ; Wed, 18 Jul 2018 20:47:43 +0000 (UTC) (envelope-from dim@FreeBSD.org) Received: from tensor.andric.com (tensor.andric.com [87.251.56.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "tensor.andric.com", Issuer "COMODO RSA Domain Validation Secure Server CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id B6A978C7C2 for ; Wed, 18 Jul 2018 20:47:42 +0000 (UTC) (envelope-from dim@FreeBSD.org) Received: from coleburn.home.andric.com (coleburn.home.andric.com [192.168.0.15]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by tensor.andric.com (Postfix) with ESMTPSA id 1A2054266; Wed, 18 Jul 2018 22:47:34 +0200 (CEST) From: Dimitry Andric Message-Id: <8EDDBDB2-77F5-4CF5-8744-41BEA187C08A@FreeBSD.org> Content-Type: multipart/signed; boundary="Apple-Mail=_46BCC157-8B75-4943-9877-BB5F9280EF1E"; protocol="application/pgp-signature"; micalg=pgp-sha1 Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\)) Subject: Re: Possible break-in attempt? Date: Wed, 18 Jul 2018 22:47:30 +0200 In-Reply-To: Cc: Patrick Proniewski , freebsd-security@freebsd.org To: Grzegorz Junka References: <594ba84b-0691-8471-4bd4-076d0ae3da98@gjunka.com> <368EABCF-A10A-49E9-9473-7753F6BEAA50@patpro.net> X-Mailer: Apple Mail (2.3445.9.1) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Jul 2018 20:47:43 -0000 --Apple-Mail=_46BCC157-8B75-4943-9877-BB5F9280EF1E Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii On 18 Jul 2018, at 22:25, Grzegorz Junka wrote: >=20 > Thank you Patrick. I don't receive that many of them. Maybe a dozen or = so since I've set up my server, which was a few years ago. Mostly with = the same IP but sometimes different IP as well. And all those I've = received so far were in the last few months. >=20 > They surprise me because on the firewall the sshd is forwarded from a = non-standard port (i.e. port 22 isn't open). >=20 > I am interested what security precaution FreeBSD is trying to do here. = Is the sshd server receiving an ssh login request from an IP, that can't = be resolved back to a domain in the reverse DNS (PTR) record for that = IP? This is not specifically a FreeBSD precaution, but an upstream OpenSSH feature. OpenSSH supports hostname-based matching rules; see the "Match" keyword in sshd_config(5). For each incoming IP address, sshd does a reverse lookup, and if that results in a hostname, it does another lookup of that hostname, to see if *that* result matches the original incoming IP address. If it does not, you get this scary warning in syslog about a "possible break-in attempt!". In my opinion, this is fairly misleading, since almost always the actual cause is badly configured DNS, a very common occurrence. In addition, matching forward and reverse DNS records is no guarantee at all that the incoming IP address is in any way trustworthy. If you don't use hostname-based matching rules, and don't use "from" directives with hostnames in your authorized_keys files, you can disable the DNS lookups (and the warnings too) by setting "UseDNS no" in your sshd_config file. This is usually one of the first settings I change on any server I configure. :) -Dimitry --Apple-Mail=_46BCC157-8B75-4943-9877-BB5F9280EF1E Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.2 iF0EARECAB0WIQR6tGLSzjX8bUI5T82wXqMKLiCWowUCW0+nYgAKCRCwXqMKLiCW o5lyAKCB3DiVBBWWoQ/dbiNjdz+y+1A5RQCfYgATQjdPl23uF5ZANIpuEtdnOQk= =9h/v -----END PGP SIGNATURE----- --Apple-Mail=_46BCC157-8B75-4943-9877-BB5F9280EF1E--