Useless log message "POSSIBLE BREAK-IN ATTEMPT"

Dan Mahoney, System Admin danm at prime.gushi.org
Sat Dec 28 09:52:14 EST 2013 

On Thu, 26 Dec 2013, Dan Kaminsky wrote:

> The deal is that IP addresses are useless, host names are useful , but host
> name spoofing is actually a real thing that real attackers do.
>
> So, either you don't log, you log hacker controlled data, or you UseDNS.
> OpenSSH, optimizing for security, chooses the last of these options.

I think the point here is that there's no option for openSSH to then *drop 
the connection* or refuse it.  OpenSSH *checks*, but does not 
*enforce* anything.  Sendmail will refuse to relay if my forward and 
reverse DNS don't match.  If I have an Allow From *.example.edu in 
my apache config, apache requires them both to match or it won't 
let me in.  OpenSSH will clutter my logs and do nothing else.

Someone can hammer my root account for hours, trying various passwords, 
but SSH won't throw a warning until ssh reaches MaxAuthTries/2.  But they 
better watch out if they have mismatched DNS!

The only case where this feature might be useful is in cases where you 
have something like:

Match host *.example.edu
GSSAPIAuthentication Yes

or even:

Match host !*.example.edu
GSSAPIAuthentication No
PasswordAuthentication No
ChallengeResponseAuthentication No

(Effectively denying all but key-based login from outside networks you 
presumably control)

At which point, as an admin at Example University, you probably want to 
see if you're getting a lot of spoofing.  (Note that my openssh man pages 
don't say if using a Match Host explicitly checks forward and reverse, or 
only checks rdns).  I also don't see a way to easily say "Deny all 
connections not from this host block".

There's no PAM module that checks that DNS should match and refuses if it 
doesn't.  (Maybe this should be a thing -- I think there's no provision to 
pass connecting IP address to PAM, but it could be added).

Given, you can go ahead and install something like Fail2Ban and configure 
that to trawl your logs for this message, but this message comes up on 
either a successful login, or a failed one.

-Dan

-- 

--------Dan Mahoney--------
Techie,  Sysadmin,  WebGeek
---------------------------

More information about the openssh-unix-dev mailing list