From owner-freebsd-security Fri Apr 12 4: 7:56 2002 Delivered-To: freebsd-security@freebsd.org Received: from backup.af.speednet.com.au (afgate.speednet.com.au [203.57.65.244]) by hub.freebsd.org (Postfix) with ESMTP id 761B537B404 for ; Fri, 12 Apr 2002 04:07:49 -0700 (PDT) Received: from backup.af.speednet.com.au (andyf@backup.af.speednet.com.au [172.22.2.4]) by backup.af.speednet.com.au (8.11.6/8.11.6) with ESMTP id g3CB7BK57283; Fri, 12 Apr 2002 21:07:15 +1000 (EST) (envelope-from andyf@speednet.com.au) Date: Fri, 12 Apr 2002 21:07:10 +1000 (EST) From: Andy Farkas X-X-Sender: To: Cc: "Kevin Kinsey, DaleCo, S.P." , Subject: hosts.allow and RFC931 - was: sshd warning---a lil' help? In-Reply-To: <20020409185049.A17491@cowbert.2y.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 9 Apr 2002, Peter C. Lai wrote: > a is true. the message is coming from hosts.allow, which checks for rdns as > a (weak) signal of spoofed packets. You can deny these connections by > by turning on: > > ALL : PARANOID : RFC931 20 : deny > # Provide some protection against clients using a forged source IP address > Question: the above rule in the default /etc/hosts.allow file is *above* the rules regarding sshd - does this mean that sshd is not protected against forged source IP adresses? Also, its been 2 and-a-bit years since this absolutely ridiculous bit of ascii-art was added to hosts.allow: # _____ _ _ # | ____| __ __ __ _ _ __ ___ _ __ | | ___ | | # | _| \ \/ / / _` | | '_ ` _ \ | '_ \ | | / _ \ | | # | |___ > < | (_| | | | | | | | | |_) | | | | __/ |_| # |_____| /_/\_\ \__,_| |_| |_| |_| | .__/ |_| \___| (_) # |_| ....could we *please* remove it? If it really is an example file, then it should be moved to /usr/share/examples or renamed to hosts.allow.sample... > > b would have sshd report "password" or keypair "accepted for username". > > c would have shown that user being rejected > > consequently, we don't know from what you've given us to know > if someone logged in successfully to sshd runing with pid 34375 > at that time :) > > On Tue, Apr 09, 2002 at 08:03:02AM -0500, Kevin Kinsey, DaleCo, S.P. wrote: > > Apr 9 07:50:00 elisha sshd[34375]: warning: /etc/hosts.allow, line 23: > > can't verify hostname: getaddrinfo(gbrdialin, AF_INET$) Failed > > > > This computer --- > > > > a - has incorrect or NO reverse DNS ? > > b - tried to authenticate via ssh login and succeeded? > > c - tried to authenticate via ssh login and failed? > > d - other > > > > > > TIA, Kevin Kinsey > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > -- > Peter C. Lai > University of Connecticut > Dept. of Residential Life | Programmer > Dept. of Molecular and Cell Biology | Undergraduate Research Assistant > http://cowbert.2y.net/ > 860.427.4542 (Room) > 860.486.1899 (Lab) > 203.206.3784 (Cellphone) > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- :{ andyf@speednet.com.au Andy Farkas System Administrator Speednet Communications http://www.speednet.com.au/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message