Date: Wed, 18 Jul 2018 22:47:30 +0200 From: Dimitry Andric <dim@FreeBSD.org> To: Grzegorz Junka <list1@gjunka.com> Cc: Patrick Proniewski <patpro@patpro.net>, freebsd-security@freebsd.org Subject: Re: Possible break-in attempt? Message-ID: <8EDDBDB2-77F5-4CF5-8744-41BEA187C08A@FreeBSD.org> In-Reply-To: <fd0ab13d-0dda-fa5d-a867-533720d9f47f@gjunka.com> References: <594ba84b-0691-8471-4bd4-076d0ae3da98@gjunka.com> <368EABCF-A10A-49E9-9473-7753F6BEAA50@patpro.net> <fd0ab13d-0dda-fa5d-a867-533720d9f47f@gjunka.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--Apple-Mail=_46BCC157-8B75-4943-9877-BB5F9280EF1E Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii On 18 Jul 2018, at 22:25, Grzegorz Junka <list1@gjunka.com> wrote: >=20 > Thank you Patrick. I don't receive that many of them. Maybe a dozen or = so since I've set up my server, which was a few years ago. Mostly with = the same IP but sometimes different IP as well. And all those I've = received so far were in the last few months. >=20 > They surprise me because on the firewall the sshd is forwarded from a = non-standard port (i.e. port 22 isn't open). >=20 > I am interested what security precaution FreeBSD is trying to do here. = Is the sshd server receiving an ssh login request from an IP, that can't = be resolved back to a domain in the reverse DNS (PTR) record for that = IP? This is not specifically a FreeBSD precaution, but an upstream OpenSSH feature. OpenSSH supports hostname-based matching rules; see the "Match" keyword in sshd_config(5). For each incoming IP address, sshd does a reverse lookup, and if that results in a hostname, it does another lookup of that hostname, to see if *that* result matches the original incoming IP address. If it does not, you get this scary warning in syslog about a "possible break-in attempt!". In my opinion, this is fairly misleading, since almost always the actual cause is badly configured DNS, a very common occurrence. In addition, matching forward and reverse DNS records is no guarantee at all that the incoming IP address is in any way trustworthy. If you don't use hostname-based matching rules, and don't use "from" directives with hostnames in your authorized_keys files, you can disable the DNS lookups (and the warnings too) by setting "UseDNS no" in your sshd_config file. This is usually one of the first settings I change on any server I configure. :) -Dimitry --Apple-Mail=_46BCC157-8B75-4943-9877-BB5F9280EF1E Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.2 iF0EARECAB0WIQR6tGLSzjX8bUI5T82wXqMKLiCWowUCW0+nYgAKCRCwXqMKLiCW o5lyAKCB3DiVBBWWoQ/dbiNjdz+y+1A5RQCfYgATQjdPl23uF5ZANIpuEtdnOQk= =9h/v -----END PGP SIGNATURE----- --Apple-Mail=_46BCC157-8B75-4943-9877-BB5F9280EF1E--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?8EDDBDB2-77F5-4CF5-8744-41BEA187C08A>