From owner-freebsd-security@freebsd.org Sat Jul 21 12:05:40 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5B0D3104905F for ; Sat, 21 Jul 2018 12:05:40 +0000 (UTC) (envelope-from freebsd-list@nuos.org) Received: from cargobay.net (cargobay.net [23.111.168.34]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 096F488372 for ; Sat, 21 Jul 2018 12:05:39 +0000 (UTC) (envelope-from freebsd-list@nuos.org) Received: from [192.168.1.4] (unknown [67.8.153.7]) by jack.ccsys.com (Postfix) with ESMTPSA id BCCAF2B77; Sat, 21 Jul 2018 12:05:37 +0000 (UTC) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\)) Subject: Re: Possible break-in attempt? From: Chad Jacob Milios In-Reply-To: Date: Sat, 21 Jul 2018 08:05:36 -0400 Cc: freebsd-security@freebsd.org Content-Transfer-Encoding: quoted-printable Message-Id: <0DDFA4FB-4FAB-49F0-99E8-9958DB1D889F@nuos.org> References: <594ba84b-0691-8471-4bd4-076d0ae3da98@gjunka.com> <368EABCF-A10A-49E9-9473-7753F6BEAA50@patpro.net> <8EDDBDB2-77F5-4CF5-8744-41BEA187C08A@FreeBSD.org> <201807201905.w6KJ59hn079229@donotpassgo.dyslexicfish.net> <2E502F45-E6F6-44D7-AE9E-9B8B08C1CEBE@nuos.org> To: Grzegorz Junka X-Mailer: Apple Mail (2.3445.9.1) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Jul 2018 12:05:40 -0000 > On Jul 21, 2018, at 7:57 AM, Grzegorz Junka wrote: > On 21/07/2018 11:03, Chad Jacob Milios wrote: >>> On Jul 20, 2018, at 3:05 PM, Jamie Landeg-Jones = wrote: >>>=20 >>> Dimitry Andric wrote: >>>=20 >>>> For each incoming IP address, sshd does a reverse lookup, and if = that >>>> results in a hostname, it does another lookup of that hostname, to = see >>>> if *that* result matches the original incoming IP address. If it = does >>>> not, you get this scary warning in syslog about a "possible = break-in >>>> attempt!". >>>>=20 >>>> In my opinion, this is fairly misleading, since almost always the = actual >>>> cause is badly configured DNS, a very common occurrence. In = addition, >>>> matching forward and reverse DNS records is no guarantee at all = that the >>>> incoming IP address is in any way trustworthy. >>> I'm not sure which version this made it into, but they actually = removed this >>> over 2 years ago. It's not in the openssh that ships with FreeBSD = 11.2: >>>=20 >>> | commit e690fe85750e93fca1fb7c7c8587d4130a4f7aba >>> | Author: dtucker@openbsd.org >>> | Date: Wed Jun 15 00:40:40 2016 +0000 >>> | >>> | upstream commit >>> | >>> | Remove "POSSIBLE BREAK-IN ATTEMPT!" from log message >>> | about forward and reverse DNS not matching. We haven't = supported IP-based >>> | auth methods for a very long time so it's now misleading. = part of bz#2585, >>> | ok markus@ >>> | >>> | Upstream-ID: 5565ef0ee0599b27f0bd1d3bb1f8a323d8274e29 >>>=20 >>> cheers, Jamie >> adding: >>=20 >> UseDNS no >>=20 >> has the added benefit of avoiding a grueling delay when YOU are the = one behind an IP address with a misconfigured reverse DNS mapping (which = is horribly common on consumer networks). It goes into = /etc/ssh/sshd_config and has been among my initial configuration to = every FreeBSD box i=E2=80=99ve stood up for a decade. >>=20 >> openssh-portable (in ports, produced by the paranoid fellows at = OpenBSD) has actually switched to adopt this, UseDNS no, as their = default configuration for, i think its been a couple years now. This is = in addition to dropping the message from their log output if UseDNS yes. >>=20 >> There is no point to this foolishly alarming message. Be mindful of = the OTHER ways you must surely have in place to keep your sshd hard = against attack. >>=20 >=20 > Good to know. But the documentation says setting to no prevents from = using DNS in known_hosts. When I look into my known_hosts I see many = dns-only names, e.g. github.com among others. >=20 > GrzegorzJ In which man page or web page are you seeing this information?=