From owner-freebsd-bugs@FreeBSD.ORG Wed Sep 13 10:10:56 2006 Return-Path: X-Original-To: freebsd-bugs@hub.freebsd.org Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9469916A407 for ; Wed, 13 Sep 2006 10:10:56 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2B06A43D7E for ; Wed, 13 Sep 2006 10:10:34 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k8DAAMUW070261 for ; Wed, 13 Sep 2006 10:10:22 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k8DAAM9S070258; Wed, 13 Sep 2006 10:10:22 GMT (envelope-from gnats) Resent-Date: Wed, 13 Sep 2006 10:10:22 GMT Resent-Message-Id: <200609131010.k8DAAM9S070258@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Stefan `Sec` Zehl Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C1EDB16A415 for ; Wed, 13 Sep 2006 10:01:35 +0000 (UTC) (envelope-from sec@42.org) Received: from ice.42.org (ice.42.org [194.77.85.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0AF4543D67 for ; Wed, 13 Sep 2006 10:01:33 +0000 (GMT) (envelope-from sec@42.org) Received: by ice.42.org (Postfix, from userid 1000) id 5B568C46E; Wed, 13 Sep 2006 12:01:32 +0200 (CEST) Message-Id: <20060913100132.5B568C46E@ice.42.org> Date: Wed, 13 Sep 2006 12:01:32 +0200 (CEST) From: Stefan `Sec` Zehl To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Cc: Subject: conf/103215: "security run output" info flooded with pointless warnings X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Stefan `Sec` Zehl List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Sep 2006 10:10:56 -0000 >Number: 103215 >Category: conf >Synopsis: "security run output" info flooded with pointless warnings >Confidential: no >Severity: critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Wed Sep 13 10:10:22 GMT 2006 >Closed-Date: >Last-Modified: >Originator: Stefan `Sec` Zehl >Release: FreeBSD 5.5-STABLE i386 >Organization: >Environment: System: FreeBSD ice 5.5-STABLE FreeBSD 5.5-STABLE #31: Thu Jun 1 19:05:49 CEST 2006 root@ice:/export/obj/export/src/sys/ICE i386 >Description: The "daily security output" on every internet-connected machine I own is filled with pointless ssh warnings like these: Sep 12 07:00:46 ice sshd[33728]: reverse mapping checking getaddrinfo for \ 221-13 4-109-162.sify.net failed - POSSIBLE BREAKIN ATTEMPT! These warnings are not only wrong (these are simply misconfigured scanner hosts) but more importantly, these warnings are not in any way aggregated or rate-limited. This means that every "daily security run output" is filled with these messages to the point that any other (possibly way more important) output is masked. You are not able to see _important_ events on a glance any more. Mass-Warning on unimportant events like this only serves to propagate warning-fatigue to the point that people stop reading these reports. >How-To-Repeat: Run FreeBSD on an internet-connected machine. Have ssh open. >Fix: I personally would simply disable the pointless warning in sshd with the patch at the bottom. But if necessary, I can provide a patch for the daily security script to simply ignore that warning. A last possibility would be to aggregate these lines into a single one. --- /usr/src/crypto/openssh/canohost.c.org Tue Apr 20 11:46:39 2004 +++ /usr/src/crypto/openssh/canohost.c Wed Sep 13 11:46:09 2006 @@ -102,8 +102,6 @@ hints.ai_family = from.ss_family; hints.ai_socktype = SOCK_STREAM; if (getaddrinfo(name, NULL, &hints, &aitop) != 0) { - logit("reverse mapping checking getaddrinfo for %.700s " - "failed - POSSIBLE BREAKIN ATTEMPT!", name); return xstrdup(ntop); } /* Look for the address from the list of addresses. */ >Release-Note: >Audit-Trail: >Unformatted: