Useless log message "POSSIBLE BREAK-IN ATTEMPT"
Dan Mahoney, System Admin
danm at prime.gushi.org
Sat Dec 28 09:52:14 EST 2013
On Thu, 26 Dec 2013, Dan Kaminsky wrote:
> The deal is that IP addresses are useless, host names are useful , but host
> name spoofing is actually a real thing that real attackers do.
>
> So, either you don't log, you log hacker controlled data, or you UseDNS.
> OpenSSH, optimizing for security, chooses the last of these options.
I think the point here is that there's no option for openSSH to then *drop
the connection* or refuse it. OpenSSH *checks*, but does not
*enforce* anything. Sendmail will refuse to relay if my forward and
reverse DNS don't match. If I have an Allow From *.example.edu in
my apache config, apache requires them both to match or it won't
let me in. OpenSSH will clutter my logs and do nothing else.
Someone can hammer my root account for hours, trying various passwords,
but SSH won't throw a warning until ssh reaches MaxAuthTries/2. But they
better watch out if they have mismatched DNS!
The only case where this feature might be useful is in cases where you
have something like:
Match host *.example.edu
GSSAPIAuthentication Yes
or even:
Match host !*.example.edu
GSSAPIAuthentication No
PasswordAuthentication No
ChallengeResponseAuthentication No
(Effectively denying all but key-based login from outside networks you
presumably control)
At which point, as an admin at Example University, you probably want to
see if you're getting a lot of spoofing. (Note that my openssh man pages
don't say if using a Match Host explicitly checks forward and reverse, or
only checks rdns). I also don't see a way to easily say "Deny all
connections not from this host block".
There's no PAM module that checks that DNS should match and refuses if it
doesn't. (Maybe this should be a thing -- I think there's no provision to
pass connecting IP address to PAM, but it could be added).
Given, you can go ahead and install something like Fail2Ban and configure
that to trawl your logs for this message, but this message comes up on
either a successful login, or a failed one.
-Dan
--
--------Dan Mahoney--------
Techie, Sysadmin, WebGeek
---------------------------
More information about the openssh-unix-dev
mailing list