Possible break-in attempt?
Jamie Landeg-Jones
jamie at catflap.org
Fri Jul 20 19:05:12 UTC 2018
Dimitry Andric <dim at freebsd.org> wrote:
> For each incoming IP address, sshd does a reverse lookup, and if that
> results in a hostname, it does another lookup of that hostname, to see
> if *that* result matches the original incoming IP address. If it does
> not, you get this scary warning in syslog about a "possible break-in
> attempt!".
>
> In my opinion, this is fairly misleading, since almost always the actual
> cause is badly configured DNS, a very common occurrence. In addition,
> matching forward and reverse DNS records is no guarantee at all that the
> incoming IP address is in any way trustworthy.
I'm not sure which version this made it into, but they actually removed this
over 2 years ago. It's not in the openssh that ships with FreeBSD 11.2:
| commit e690fe85750e93fca1fb7c7c8587d4130a4f7aba
| Author: dtucker at openbsd.org <dtucker at openbsd.org>
| Date: Wed Jun 15 00:40:40 2016 +0000
|
| upstream commit
|
| Remove "POSSIBLE BREAK-IN ATTEMPT!" from log message
| about forward and reverse DNS not matching. We haven't supported IP-based
| auth methods for a very long time so it's now misleading. part of bz#2585,
| ok markus@
|
| Upstream-ID: 5565ef0ee0599b27f0bd1d3bb1f8a323d8274e29
cheers, Jamie
More information about the freebsd-security
mailing list