Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 21 Jul 2018 11:57:07 +0000
From:      Grzegorz Junka <list1@gjunka.com>
To:        freebsd-security@freebsd.org
Subject:   Re: Possible break-in attempt?
Message-ID:  <d5f56af2-bd11-60d2-ba8d-06ed50872ef9@gjunka.com>
In-Reply-To: <2E502F45-E6F6-44D7-AE9E-9B8B08C1CEBE@nuos.org>
References:  <594ba84b-0691-8471-4bd4-076d0ae3da98@gjunka.com> <368EABCF-A10A-49E9-9473-7753F6BEAA50@patpro.net> <fd0ab13d-0dda-fa5d-a867-533720d9f47f@gjunka.com> <8EDDBDB2-77F5-4CF5-8744-41BEA187C08A@FreeBSD.org> <201807201905.w6KJ59hn079229@donotpassgo.dyslexicfish.net> <2E502F45-E6F6-44D7-AE9E-9B8B08C1CEBE@nuos.org>

next in thread | previous in thread | raw e-mail | index | archive | help

On 21/07/2018 11:03, Chad Jacob Milios wrote:
>> On Jul 20, 2018, at 3:05 PM, Jamie Landeg-Jones <jamie@catflap.org> wrote:
>>
>> Dimitry Andric <dim@freebsd.org> wrote:
>>
>>> For each incoming IP address, sshd does a reverse lookup, and if that
>>> results in a hostname, it does another lookup of that hostname, to see
>>> if *that* result matches the original incoming IP address.  If it does
>>> not, you get this scary warning in syslog about a "possible break-in
>>> attempt!".
>>>
>>> In my opinion, this is fairly misleading, since almost always the actual
>>> cause is badly configured DNS, a very common occurrence.  In addition,
>>> matching forward and reverse DNS records is no guarantee at all that the
>>> incoming IP address is in any way trustworthy.
>> I'm not sure which version this made it into, but they actually removed this
>> over 2 years ago. It's not in the openssh that ships with FreeBSD 11.2:
>>
>> | commit e690fe85750e93fca1fb7c7c8587d4130a4f7aba
>> | Author: dtucker@openbsd.org <dtucker@openbsd.org>
>> | Date:   Wed Jun 15 00:40:40 2016 +0000
>> |
>> |     upstream commit
>> |
>> |     Remove "POSSIBLE BREAK-IN ATTEMPT!" from log message
>> |     about forward and reverse DNS not matching.  We haven't supported IP-based
>> |     auth methods for a very long time so it's now misleading.  part of bz#2585,
>> |     ok markus@
>> |
>> |     Upstream-ID: 5565ef0ee0599b27f0bd1d3bb1f8a323d8274e29
>>
>> cheers, Jamie
> adding:
>
> UseDNS no
>
> has the added benefit of avoiding a grueling delay when YOU are the one behind an IP address with a misconfigured reverse DNS mapping (which is horribly common on consumer networks). It goes into /etc/ssh/sshd_config and has been among my initial configuration to every FreeBSD box i’ve stood up for a decade.
>
> openssh-portable (in ports, produced by the paranoid fellows at OpenBSD) has actually switched to adopt this, UseDNS no, as their default configuration for, i think its been a couple years now. This is in addition to dropping the message from their log output if UseDNS yes.
>
> There is no point to this foolishly alarming message. Be mindful of the OTHER ways you must surely have in place to keep your sshd hard against attack.
>

Good to know. But the documentation says setting to no prevents from 
using DNS in known_hosts. When I look into my known_hosts I see many 
dns-only names, e.g. github.com among others.

GrzegorzJ



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?d5f56af2-bd11-60d2-ba8d-06ed50872ef9>