Useless log message "POSSIBLE BREAK-IN ATTEMPT"

Dan Kaminsky dan at doxpara.com
Fri Dec 27 15:55:33 EST 2013


You can't not log.
Logging IPs provides little useful information.
Logging domains provides useful information, but is spoofable.
Logging domains and verifying reverse DNS provides useful information, but
alerts on broken DNS implementations.

Those are the four choices. OpenSSH optimizes for security and not for
tolerating bad system administration.  That's sort of the deal.

On Thursday, December 26, 2013, ag at gmail wrote:

> If OpenSSH takes no action, this entry does seem pretty useless for the
> functionality. I don't think it adds any real life security improvement,
> but adds too much noise which will be ignored anyways.
>
> It may be useful to other log-analyzer software trying make sense, but
> again the number of false positives render useless any meaningful
> interpretation of these log entries as well.
>
> I can't think if a use case for this logging to be enabled by default, if
> at all it needs to be there, but I may have missed the obvious (which
> hasn't been yet discussed in this thread).
>
> Thanks.
>
> -coderaptor
>
> --
> sent via 100% recycled electrons from my mobile command center.
>
> > On Dec 26, 2013, at 2:19 PM, Dan Kaminsky <dan at doxpara.com<javascript:;>>
> wrote:
> >
> > The deal is that IP addresses are useless, host names are useful , but
> host
> > name spoofing is actually a real thing that real attackers do.
> >
> > So, either you don't log, you log hacker controlled data, or you UseDNS.
> > OpenSSH, optimizing for security, chooses the last of these options.
> >
> >> On Thursday, December 26, 2013, Kaz Kylheku wrote:
> >>
> >>
> >>
> >>> On 26.12.2013 09:27, Alex Bligh wrote:
> >>>
> >>>> On 25 Dec 2013, at 08:04, Ben Lindstrom wrote:
> >>>>
> >>>> UseDNS Specifies whether sshd(8) should look up the remote host name
> >> and check that the resolved host name for the remote IP address maps
> back
> >> to the very same IP address. The default is ``yes''.
> >>>
> >>> I've often wondered why the default for this is 'yes'.
> >>
> >> I don't want to read reference manuals. I want software not to do stupid
> >> things by default. This misfeature and its configuration option
> >> shouldn't even exist.
> >>
> >> There isn't any action that the software can take based on this info.
> >> (We should never waste resources gathering info that cannot be used to
> >> take action.)
> >>
> >> You cannot reject hosts from making SSH connections just because they
> >> have inconsistent DNS.
> >>
> >> Such checks are sometimes useful in software that has no real security,
> >> like SMTP. Rejecting inconsistent DNS hosts is an amazingly reliable
> >> rule that will get rid of a large fraction of spam, with virtually no
> >> false positives.
> >>
> >>
> >> _______________________________________________
> >> openssh-unix-dev mailing list
> >> openssh-unix-dev at mindrot.org <javascript:;> <javascript:;>
> >> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
> > _______________________________________________
> > openssh-unix-dev mailing list
> > openssh-unix-dev at mindrot.org <javascript:;>
> > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>


More information about the openssh-unix-dev mailing list