Useless log message "POSSIBLE BREAK-IN ATTEMPT"
Dan Mahoney, System Admin
danm at prime.gushi.org
Sun Dec 29 08:28:26 EST 2013
On Sat, 28 Dec 2013, Kaz Kylheku wrote:
>
> On 27.12.2013 14:52, Dan Mahoney, System Admin wrote:
>
> On Thu, 26 Dec 2013, Dan Kaminsky wrote:
> The deal is that IP addresses are useless, host
> names are useful , but host name spoofing is
> actually a real thing that real attackers do. So,
> either you don't log, you log hacker controlled
> data, or you UseDNS. OpenSSH, optimizing for
> security, chooses the last of these options.
>
> I think the point here is that there's no option for openSSH to then *drop
> the connection* or refuse it. OpenSSH *checks*, but does not
> *enforce* anything. Sendmail will refuse to relay if my forward and
> reverse DNS don't match. If I have an Allow From *.example.edu in
> my apache config, apache requires them both to match or it won't
> let me in. OpenSSH will clutter my logs and do nothing else
>
> Refusing such connections makes perfect sense in unauthenticated SMTP. Doing
> so will get rid of a large fraction of spam, with virtually no false
> positives.
>
> It makes no sense in SSH. You'd never want to refuse a connection which has
> the correct password or key just because it came from an IP address that
> doesn't have reversible DNS.
..
> There is no reason for ssh to "use DNS" except in the client to resolve
> server addresses.
Sure you would, and I cited an example where you might.
However, here's my other question -- if you have such a restriction turned
on (host-restricted config in sshd_config or authorized-keys), but UseDNS
turned *off* will DNS still be used? Or will turning UseDNS off basically
break these features?
-Dan
--
--------Dan Mahoney--------
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144 AIM: LarpGM
Site: http://www.gushi.org
---------------------------
More information about the openssh-unix-dev
mailing list