Useless log message "POSSIBLE BREAK-IN ATTEMPT"

ag@gmail amarendra.godbole at gmail.com
Fri Dec 27 11:02:48 EST 2013 

If OpenSSH takes no action, this entry does seem pretty useless for the functionality. I don't think it adds any real life security improvement, but adds too much noise which will be ignored anyways.

It may be useful to other log-analyzer software trying make sense, but again the number of false positives render useless any meaningful interpretation of these log entries as well.

I can't think if a use case for this logging to be enabled by default, if at all it needs to be there, but I may have missed the obvious (which hasn't been yet discussed in this thread).

Thanks.

-coderaptor

--
sent via 100% recycled electrons from my mobile command center.

> On Dec 26, 2013, at 2:19 PM, Dan Kaminsky <dan at doxpara.com> wrote:
> 
> The deal is that IP addresses are useless, host names are useful , but host
> name spoofing is actually a real thing that real attackers do.
> 
> So, either you don't log, you log hacker controlled data, or you UseDNS.
> OpenSSH, optimizing for security, chooses the last of these options.
> 
>> On Thursday, December 26, 2013, Kaz Kylheku wrote:
>> 
>> 
>> 
>>> On 26.12.2013 09:27, Alex Bligh wrote:
>>> 
>>>> On 25 Dec 2013, at 08:04, Ben Lindstrom wrote:
>>>> 
>>>> UseDNS Specifies whether sshd(8) should look up the remote host name
>> and check that the resolved host name for the remote IP address maps back
>> to the very same IP address. The default is ``yes''.
>>> 
>>> I've often wondered why the default for this is 'yes'.
>> 
>> I don't want to read reference manuals. I want software not to do stupid
>> things by default. This misfeature and its configuration option
>> shouldn't even exist.
>> 
>> There isn't any action that the software can take based on this info.
>> (We should never waste resources gathering info that cannot be used to
>> take action.)
>> 
>> You cannot reject hosts from making SSH connections just because they
>> have inconsistent DNS.
>> 
>> Such checks are sometimes useful in software that has no real security,
>> like SMTP. Rejecting inconsistent DNS hosts is an amazingly reliable
>> rule that will get rid of a large fraction of spam, with virtually no
>> false positives.
>> 
>> 
>> _______________________________________________
>> openssh-unix-dev mailing list
>> openssh-unix-dev at mindrot.org <javascript:;>
>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

More information about the openssh-unix-dev mailing list