Useless log message "POSSIBLE BREAK-IN ATTEMPT"
Kaz Kylheku
kaz at kylheku.com
Sun Dec 29 02:24:57 EST 2013
On 27.12.2013 14:52, Dan Mahoney, System Admin wrote:
> On Thu, 26 Dec 2013, Dan Kaminsky wrote:
>
>> The deal is that IP addresses are useless, host names are useful , but host name spoofing is actually a real thing that real attackers do. So, either you don't log, you log hacker controlled data, or you UseDNS. OpenSSH, optimizing for security, chooses the last of these options.
>
> I think the point here is that there's no option for openSSH to then *drop
> the connection* or refuse it. OpenSSH *checks*, but does not
> *enforce* anything. Sendmail will refuse to relay if my forward and
> reverse DNS don't match. If I have an Allow From *.example.edu in
> my apache config, apache requires them both to match or it won't
> let me in. OpenSSH will clutter my logs and do nothing else
Refusing such connections makes perfect sense in unauthenticated SMTP.
Doing so will get rid of a large fraction of spam, with virtually no
false positives.
It makes no sense in SSH. You'd never want to refuse a connection which
has the correct password or key just because it came from an IP address
that doesn't have reversible DNS.
This WHOLE THING IS MISFEATURE that shouldn't exist in the code, let
alone be turned on by default.
There is no reason for ssh to "use DNS" except in the client to resolve
server addresses.
Using DNS wastes TIME when you're logging in, creating a useless pause
(which can be long if there is some DNS issue).
LOOK AT THE GOOGLE SEARCH FOR "SLOW SSH LOGIN" [1]. Countless people
have been bitten by long pauses when trying to log in to a server, and
the culprit is the DNS lookup.
I don't want to read manuals in order to discover software misfeatures
and turn them off.
Default configurations should be high-performing, secure, and free of
misfeatures.
Links:
------
[1] https://www.google.ca/search?q=slow+ssh+login
More information about the openssh-unix-dev
mailing list