From owner-freebsd-security@freebsd.org  Sat Jul 21 12:05:40 2018
Return-Path: <owner-freebsd-security@freebsd.org>
Delivered-To: freebsd-security@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5B0D3104905F
 for <freebsd-security@mailman.ysv.freebsd.org>;
 Sat, 21 Jul 2018 12:05:40 +0000 (UTC)
 (envelope-from freebsd-list@nuos.org)
Received: from cargobay.net (cargobay.net [23.111.168.34])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 096F488372
 for <freebsd-security@freebsd.org>; Sat, 21 Jul 2018 12:05:39 +0000 (UTC)
 (envelope-from freebsd-list@nuos.org)
Received: from [192.168.1.4] (unknown [67.8.153.7])
 by jack.ccsys.com (Postfix) with ESMTPSA id BCCAF2B77;
 Sat, 21 Jul 2018 12:05:37 +0000 (UTC)
Content-Type: text/plain;
	charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
Subject: Re: Possible break-in attempt?
From: Chad Jacob Milios <freebsd-list@nuos.org>
In-Reply-To: <d5f56af2-bd11-60d2-ba8d-06ed50872ef9@gjunka.com>
Date: Sat, 21 Jul 2018 08:05:36 -0400
Cc: freebsd-security@freebsd.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <0DDFA4FB-4FAB-49F0-99E8-9958DB1D889F@nuos.org>
References: <594ba84b-0691-8471-4bd4-076d0ae3da98@gjunka.com>
 <368EABCF-A10A-49E9-9473-7753F6BEAA50@patpro.net>
 <fd0ab13d-0dda-fa5d-a867-533720d9f47f@gjunka.com>
 <8EDDBDB2-77F5-4CF5-8744-41BEA187C08A@FreeBSD.org>
 <201807201905.w6KJ59hn079229@donotpassgo.dyslexicfish.net>
 <2E502F45-E6F6-44D7-AE9E-9B8B08C1CEBE@nuos.org>
 <d5f56af2-bd11-60d2-ba8d-06ed50872ef9@gjunka.com>
To: Grzegorz Junka <list1@gjunka.com>
X-Mailer: Apple Mail (2.3445.9.1)
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 21 Jul 2018 12:05:40 -0000

> On Jul 21, 2018, at 7:57 AM, Grzegorz Junka <list1@gjunka.com> wrote:
> On 21/07/2018 11:03, Chad Jacob Milios wrote:
>>> On Jul 20, 2018, at 3:05 PM, Jamie Landeg-Jones <jamie@catflap.org> =
wrote:
>>>=20
>>> Dimitry Andric <dim@freebsd.org> wrote:
>>>=20
>>>> For each incoming IP address, sshd does a reverse lookup, and if =
that
>>>> results in a hostname, it does another lookup of that hostname, to =
see
>>>> if *that* result matches the original incoming IP address.  If it =
does
>>>> not, you get this scary warning in syslog about a "possible =
break-in
>>>> attempt!".
>>>>=20
>>>> In my opinion, this is fairly misleading, since almost always the =
actual
>>>> cause is badly configured DNS, a very common occurrence.  In =
addition,
>>>> matching forward and reverse DNS records is no guarantee at all =
that the
>>>> incoming IP address is in any way trustworthy.
>>> I'm not sure which version this made it into, but they actually =
removed this
>>> over 2 years ago. It's not in the openssh that ships with FreeBSD =
11.2:
>>>=20
>>> | commit e690fe85750e93fca1fb7c7c8587d4130a4f7aba
>>> | Author: dtucker@openbsd.org <dtucker@openbsd.org>
>>> | Date:   Wed Jun 15 00:40:40 2016 +0000
>>> |
>>> |     upstream commit
>>> |
>>> |     Remove "POSSIBLE BREAK-IN ATTEMPT!" from log message
>>> |     about forward and reverse DNS not matching.  We haven't =
supported IP-based
>>> |     auth methods for a very long time so it's now misleading.  =
part of bz#2585,
>>> |     ok markus@
>>> |
>>> |     Upstream-ID: 5565ef0ee0599b27f0bd1d3bb1f8a323d8274e29
>>>=20
>>> cheers, Jamie
>> adding:
>>=20
>> UseDNS no
>>=20
>> has the added benefit of avoiding a grueling delay when YOU are the =
one behind an IP address with a misconfigured reverse DNS mapping (which =
is horribly common on consumer networks). It goes into =
/etc/ssh/sshd_config and has been among my initial configuration to =
every FreeBSD box i=E2=80=99ve stood up for a decade.
>>=20
>> openssh-portable (in ports, produced by the paranoid fellows at =
OpenBSD) has actually switched to adopt this, UseDNS no, as their =
default configuration for, i think its been a couple years now. This is =
in addition to dropping the message from their log output if UseDNS yes.
>>=20
>> There is no point to this foolishly alarming message. Be mindful of =
the OTHER ways you must surely have in place to keep your sshd hard =
against attack.
>>=20
>=20
> Good to know. But the documentation says setting to no prevents from =
using DNS in known_hosts. When I look into my known_hosts I see many =
dns-only names, e.g. github.com among others.
>=20
> GrzegorzJ

In which man page or web page are you seeing this information?=