Date: Fri, 20 Jul 2018 20:05:09 +0100 From: Jamie Landeg-Jones <jamie@catflap.org> To: list1@gjunka.com, dim@freebsd.org Cc: freebsd-security@freebsd.org Subject: Re: Possible break-in attempt? Message-ID: <201807201905.w6KJ59hn079229@donotpassgo.dyslexicfish.net> In-Reply-To: <8EDDBDB2-77F5-4CF5-8744-41BEA187C08A@FreeBSD.org> References: <594ba84b-0691-8471-4bd4-076d0ae3da98@gjunka.com> <368EABCF-A10A-49E9-9473-7753F6BEAA50@patpro.net> <fd0ab13d-0dda-fa5d-a867-533720d9f47f@gjunka.com> <8EDDBDB2-77F5-4CF5-8744-41BEA187C08A@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Dimitry Andric <dim@freebsd.org> wrote: > For each incoming IP address, sshd does a reverse lookup, and if that > results in a hostname, it does another lookup of that hostname, to see > if *that* result matches the original incoming IP address. If it does > not, you get this scary warning in syslog about a "possible break-in > attempt!". > > In my opinion, this is fairly misleading, since almost always the actual > cause is badly configured DNS, a very common occurrence. In addition, > matching forward and reverse DNS records is no guarantee at all that the > incoming IP address is in any way trustworthy. I'm not sure which version this made it into, but they actually removed this over 2 years ago. It's not in the openssh that ships with FreeBSD 11.2: | commit e690fe85750e93fca1fb7c7c8587d4130a4f7aba | Author: dtucker@openbsd.org <dtucker@openbsd.org> | Date: Wed Jun 15 00:40:40 2016 +0000 | | upstream commit | | Remove "POSSIBLE BREAK-IN ATTEMPT!" from log message | about forward and reverse DNS not matching. We haven't supported IP-based | auth methods for a very long time so it's now misleading. part of bz#2585, | ok markus@ | | Upstream-ID: 5565ef0ee0599b27f0bd1d3bb1f8a323d8274e29 cheers, Jamie
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201807201905.w6KJ59hn079229>