From owner-freebsd-security Sun Jun 2 15: 1: 9 2002 Delivered-To: freebsd-security@freebsd.org Received: from rwcrmhc52.attbi.com (rwcrmhc52.attbi.com [216.148.227.88]) by hub.freebsd.org (Postfix) with ESMTP id D9C6F37B406 for ; Sun, 2 Jun 2002 15:01:04 -0700 (PDT) Received: from blossom.cjclark.org ([12.234.91.48]) by rwcrmhc52.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020602220104.IDYP2751.rwcrmhc52.attbi.com@blossom.cjclark.org>; Sun, 2 Jun 2002 22:01:04 +0000 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.6) id g52M11X34476; Sun, 2 Jun 2002 15:01:01 -0700 (PDT) (envelope-from crist.clark@attbi.com) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to crist.clark@attbi.com using -f Date: Sun, 2 Jun 2002 15:01:01 -0700 From: "Crist J. Clark" To: Drew Tomlinson Cc: Hajimu UMEMOTO , security@FreeBSD.ORG Subject: Re: Security Messages re: hosts.allow? Message-ID: <20020602150101.I20911@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <007e01c20a47$7fabb370$1b01a8c0@TAGALONG> <20020602113409.F20911@blossom.cjclark.org> <20020602121922.H20911@blossom.cjclark.org> <000e01c20a7a$edf501a0$1b01a8c0@TAGALONG> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <000e01c20a7a$edf501a0$1b01a8c0@TAGALONG>; from drew@mykitchentable.net on Sun, Jun 02, 2002 at 02:17:40PM -0700 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sun, Jun 02, 2002 at 02:17:40PM -0700, Drew Tomlinson wrote: > ----- Original Message ----- > From: "Crist J. Clark" > To: "Hajimu UMEMOTO" > Cc: "Drew Tomlinson" ; > Sent: Sunday, June 02, 2002 12:19 PM > Subject: Re: Security Messages re: hosts.allow? > > > > On Mon, Jun 03, 2002 at 03:50:33AM +0900, Hajimu UMEMOTO wrote: > > > Hi, > > > > > > >>>>> On Sun, 2 Jun 2002 11:34:09 -0700 > > > >>>>> "Crist J. Clark" said: > > > > > > crist.clark> server1.camelweb.com.tw. 23h59m43s IN CNAME > dns.camelweb.com.tw. > > > crist.clark> server1.camelweb.com.tw. 23h59m43s IN A > 210.59.224.44 > > > crist.clark> dns.camelweb.com.tw. 22h47m42s IN A > 210.59.224.42 > > > > > > crist.clark> 42.224.59.210.in-addr.arpa. 9h1m47s IN PTR > server1.camelweb.com.tw. > > > > > > crist.clark> But from the looks of it, these DNS entries > themselves do not look > > > crist.clark> malicious. > > > > > > No, CNAME RR cannot co-exist with A RR. > > > > I didn't say it wasn't broken DNS. I was saying that it does not > look > > like someone is trying to pretend they are someone they are not > (which > > is the reason tcpwrapper produces that kind of warning). > > Thanks for your replies. So the bottom line is that someone from this > domain attempted to establish a ssh session with my server? This is > just a little home server for my amusement and no one other than > myself should access it. I guess it might be time to learn about > "keys" and restrict access to only myself. Any reading suggestions > for an absolute beginner? My best guess is that the host that hit you was compromised and is being used to scan for hosts running vulnerable SSH daemons. Double-check that you were not running a vulnerable version of SSH. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message