From owner-freebsd-security@freebsd.org  Fri Jul 20 19:05:12 2018
Return-Path: <owner-freebsd-security@freebsd.org>
Delivered-To: freebsd-security@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9AC04104F6EF
 for <freebsd-security@mailman.ysv.freebsd.org>;
 Fri, 20 Jul 2018 19:05:12 +0000 (UTC)
 (envelope-from jamie@catflap.org)
Received: from donotpassgo.dyslexicfish.net (donotpassgo.dyslexicfish.net
 [IPv6:2001:19f0:300:2185:a:dead:bad:faff])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 4786489AAF;
 Fri, 20 Jul 2018 19:05:11 +0000 (UTC)
 (envelope-from jamie@catflap.org)
Received: from donotpassgo.dyslexicfish.net (donotpassgo.dyslexicfish.net
 [104.207.135.49])
 by donotpassgo.dyslexicfish.net (8.14.5/8.14.5) with ESMTP id w6KJ5A2n079232; 
 Fri, 20 Jul 2018 20:05:10 +0100 (BST)
 (envelope-from jamie@donotpassgo.dyslexicfish.net)
Received: (from jamie@localhost)
 by donotpassgo.dyslexicfish.net (8.14.5/8.14.5/Submit) id w6KJ59hn079229;
 Fri, 20 Jul 2018 20:05:09 +0100 (BST) (envelope-from jamie)
From: Jamie Landeg-Jones <jamie@catflap.org>
Message-Id: <201807201905.w6KJ59hn079229@donotpassgo.dyslexicfish.net>
Date: Fri, 20 Jul 2018 20:05:09 +0100
Organization: Dyslexic Fish
To: list1@gjunka.com, dim@freebsd.org
Cc: freebsd-security@freebsd.org
Subject: Re: Possible break-in attempt?
References: <594ba84b-0691-8471-4bd4-076d0ae3da98@gjunka.com>
 <368EABCF-A10A-49E9-9473-7753F6BEAA50@patpro.net>
 <fd0ab13d-0dda-fa5d-a867-533720d9f47f@gjunka.com>
 <8EDDBDB2-77F5-4CF5-8744-41BEA187C08A@FreeBSD.org>
In-Reply-To: <8EDDBDB2-77F5-4CF5-8744-41BEA187C08A@FreeBSD.org>
User-Agent: Heirloom mailx 12.4 7/29/08
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Jul 2018 19:05:12 -0000

Dimitry Andric <dim@freebsd.org> wrote:

> For each incoming IP address, sshd does a reverse lookup, and if that
> results in a hostname, it does another lookup of that hostname, to see
> if *that* result matches the original incoming IP address.  If it does
> not, you get this scary warning in syslog about a "possible break-in
> attempt!".
>
> In my opinion, this is fairly misleading, since almost always the actual
> cause is badly configured DNS, a very common occurrence.  In addition,
> matching forward and reverse DNS records is no guarantee at all that the
> incoming IP address is in any way trustworthy.

I'm not sure which version this made it into, but they actually removed this
over 2 years ago. It's not in the openssh that ships with FreeBSD 11.2:

 | commit e690fe85750e93fca1fb7c7c8587d4130a4f7aba
 | Author: dtucker@openbsd.org <dtucker@openbsd.org>
 | Date:   Wed Jun 15 00:40:40 2016 +0000
 |
 |     upstream commit
 |
 |     Remove "POSSIBLE BREAK-IN ATTEMPT!" from log message
 |     about forward and reverse DNS not matching.  We haven't supported IP-based
 |     auth methods for a very long time so it's now misleading.  part of bz#2585,
 |     ok markus@
 |
 |     Upstream-ID: 5565ef0ee0599b27f0bd1d3bb1f8a323d8274e29

cheers, Jamie