Date: Sat, 21 Jul 2018 07:03:38 -0400 From: Chad Jacob Milios <freebsd-list@nuos.org> To: freebsd-security@freebsd.org Subject: Re: Possible break-in attempt? Message-ID: <2E502F45-E6F6-44D7-AE9E-9B8B08C1CEBE@nuos.org> In-Reply-To: <201807201905.w6KJ59hn079229@donotpassgo.dyslexicfish.net> References: <594ba84b-0691-8471-4bd4-076d0ae3da98@gjunka.com> <368EABCF-A10A-49E9-9473-7753F6BEAA50@patpro.net> <fd0ab13d-0dda-fa5d-a867-533720d9f47f@gjunka.com> <8EDDBDB2-77F5-4CF5-8744-41BEA187C08A@FreeBSD.org> <201807201905.w6KJ59hn079229@donotpassgo.dyslexicfish.net>
next in thread | previous in thread | raw e-mail | index | archive | help
> On Jul 20, 2018, at 3:05 PM, Jamie Landeg-Jones <jamie@catflap.org> = wrote: >=20 > Dimitry Andric <dim@freebsd.org> wrote: >=20 >> For each incoming IP address, sshd does a reverse lookup, and if that >> results in a hostname, it does another lookup of that hostname, to = see >> if *that* result matches the original incoming IP address. If it = does >> not, you get this scary warning in syslog about a "possible break-in >> attempt!". >>=20 >> In my opinion, this is fairly misleading, since almost always the = actual >> cause is badly configured DNS, a very common occurrence. In = addition, >> matching forward and reverse DNS records is no guarantee at all that = the >> incoming IP address is in any way trustworthy. >=20 > I'm not sure which version this made it into, but they actually = removed this > over 2 years ago. It's not in the openssh that ships with FreeBSD = 11.2: >=20 > | commit e690fe85750e93fca1fb7c7c8587d4130a4f7aba > | Author: dtucker@openbsd.org <dtucker@openbsd.org> > | Date: Wed Jun 15 00:40:40 2016 +0000 > | > | upstream commit > | > | Remove "POSSIBLE BREAK-IN ATTEMPT!" from log message > | about forward and reverse DNS not matching. We haven't = supported IP-based > | auth methods for a very long time so it's now misleading. part = of bz#2585, > | ok markus@ > | > | Upstream-ID: 5565ef0ee0599b27f0bd1d3bb1f8a323d8274e29 >=20 > cheers, Jamie adding: UseDNS no has the added benefit of avoiding a grueling delay when YOU are the one = behind an IP address with a misconfigured reverse DNS mapping (which is = horribly common on consumer networks). It goes into /etc/ssh/sshd_config = and has been among my initial configuration to every FreeBSD box i=E2=80=99= ve stood up for a decade. openssh-portable (in ports, produced by the paranoid fellows at OpenBSD) = has actually switched to adopt this, UseDNS no, as their default = configuration for, i think its been a couple years now. This is in = addition to dropping the message from their log output if UseDNS yes. There is no point to this foolishly alarming message. Be mindful of the = OTHER ways you must surely have in place to keep your sshd hard against = attack. -CJ=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2E502F45-E6F6-44D7-AE9E-9B8B08C1CEBE>