Useless log message "POSSIBLE BREAK-IN ATTEMPT"
Philipp Marek
philipp.marek at linbit.com
Sun Dec 29 05:45:29 EST 2013
> > That's not entriely true. from=... restrictions in authorized_keys
> > and "Match host" sections in sshd_config depend on the hostname. In
> > the reverse-mapping check failed case, they don't get to see the
> > original (probably untrustworthy) hostname and are just passed the
> > IP address.
> Right, and that was my point -- if you have a bunch of "match host"
> blocks, what do you put *outside* those blocks to just deny all
> connections? I don't see an option like "AllowUsers None" or
> "DenyUsers All" or "DenyUsers *", at least according to the manpage.
>
> In theory you could disable all authentication methods, which will
> cause login to fail, but there's no easy way to do an apache-style
> "deny from all", which in theory should happen even without doing a
> handshake in this situation.
You can always just restrict to key-based authentication, and then say
AuthorizedKeysFile /dev/null
or use
DenyUsers *
More information about the openssh-unix-dev
mailing list