CentOS - Mar 2013 - CentOS 5 sshd does not log IP address of reverse mapping failure

I'm running a mix of CentOS 5 and 6 servers reachable by ssh
from the Internet. Of course I allow only public key authentication
and no root login. In addition I'm running fail2ban to block
obnoxious brute force attack sources.

On CentOS 6 this is working pretty well, but on CentOS 5 there's
one class of attacks fail2ban fails to ban. (No pun intended.)
This isn't fail2ban's fault, but openssh's. When the source IP
address of a failed attempt fails the reverse mapping check,
CentOS 6 (openssh-server-5.3p1-81.el6_3.x86_64) logs:

Mar  3 04:06:34 posthamster sshd[1718]: reverse mapping checking
getaddrinfo for hn.ly.kd.adsl [61.163.113.72] failed - POSSIBLE BREAK-IN
ATTEMPT!

from which fail2ban can pick up and block IP address 61.163.113.72
just fine. CentOS 5 (openssh-server-4.3p2-82.el5) OTOH logs:

Mar  3 04:44:48 gimli sshd[12870]: reverse mapping checking getaddrinfo
for hn.ly.kd.adsl failed - POSSIBLE BREAK-IN ATTEMPT!

without the IP address. The name is of no use because sshd just
confirmed that it doesn't really correspond to the attacker's
IP address.

Any ideas how to remedy that situation?

TIA
T.

-- 
Tilman Schmidt
Phoenix Software GmbH
Bonn, Germany

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.centos.org/pipermail/centos/attachments/20130306/5e44478f/attachment-0002.sig>

On 03/06/2013 09:45 AM, Tilman Schmidt wrote:
> Any ideas how to remedy that situation?
As long as you get the IP address for failed logins, ignore reverse 
mapping failures.

Am 08.03.2013 15:50, schrieb Reindl Harald:
> Am 08.03.2013 15:01, schrieb Tilman Schmidt:
>> Am 07.03.2013 19:49, schrieb Les Mikesell:
[...]
>>> Does it work if you set
>>> UseDNS no
>>> in /etc/ssh/sshd_config?
>>
>> Not really. That seems to remove the "reverse mapping checking
failed"
>> messages (assuming there were the usual number of such attempts after
>> I set that option), but IP addresses for failed logins to existing
>> users are never logged. The log contains just:
>>
>>   sshd[27912]: Disconnecting: Too many authentication failures for root
> 
> not true,
How do you know? I saw no logon from you on the machine I tested this
on. :-)
> i have "UseDNS no" on ANY machine since a long time
> and /var/log/secure contains ip-addresses as also logwatch
For failed login attempts to existing usernames? Can you share a log
entry? That would give me hope that it's just a configuration issue.

Thanks,
Tilman

-- 
Tilman Schmidt
Abteilungsleiter Technik
----------------------------------------------------------------
Phoenix Software GmbH                       Tel. +49 228 97199 0
Gesch?ftsf?hrer: W. Grie?l                 Fax  +49 228 97199 99
Adolf-Hombitzer-Str. 12                   www.phoenixsoftware.de
53227 Bonn, Germany                    Amtsgericht Bonn HRB 2934
----------------------------------------------------------------

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.centos.org/pipermail/centos/attachments/20130308/fbe0f560/attachment-0002.sig>

Am 08.03.2013 17:40, schrieb Reindl Harald:
> but you can not tell me that such attempts would not be logged
> maybe you have fucked your syslog-configuration or whatever
Tsk, tsk. Language!
> Mar  8 17:35:13 openvas sshd[10017]: Invalid user donotexist from
10.0.0.241
> Mar  8 17:35:13 openvas sshd[10018]: input_userauth_request: invalid user
donotexist
> 
> Mar  8 17:37:38 openvas sshd[10172]: User vnstat from 10.0.0.241 not
allowed because not listed in AllowUsers
> Mar  8 17:37:38 openvas sshd[10173]: input_userauth_request: invalid user
vnstat
If you had actually read the thread before replying you might
have noticed that it is not about these messages at all.
These are messages about invalid users. I already wrote that
I get these too, complete with IP addresses, even before
putting in "UseDNS no". My question is about these:

Feb 10 13:32:41 dns01 sshd[16161]: Disconnecting: Too many
authentication failures for root
Feb 10 13:32:45 dns01 sshd[16163]: Disconnecting: Too many
authentication failures for root
Feb 10 13:32:48 dns01 sshd[16165]: Disconnecting: Too many
authentication failures for root
Feb 10 13:32:53 dns01 sshd[16167]: Disconnecting: Too many
authentication failures for root
Feb 10 13:32:55 dns01 sshd[16169]: Disconnecting: Too many
authentication failures for root
Feb 10 13:32:59 dns01 sshd[16171]: Disconnecting: Too many
authentication failures for root
Feb 10 13:33:02 dns01 sshd[16173]: Disconnecting: Too many
authentication failures for root
Feb 10 13:33:05 dns01 sshd[16175]: Disconnecting: Too many
authentication failures for root
Feb 10 13:33:08 dns01 sshd[16177]: Disconnecting: Too many
authentication failures for root
Feb 10 13:33:11 dns01 sshd[16179]: Disconnecting: Too many
authentication failures for root

Do you have log entries with IP addresses for these?

Oh, before you ask, the sshd which logged these runs of course with

PermitRootLogin no
PasswordAuthentication no
> cat /etc/redhat-release
> CentOS release 6.3 (Final)
Notice the subject line? How it says "CentOS 5"? That was deliberate.

-- 
Tilman Schmidt
Phoenix Software GmbH
Bonn, Germany


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.centos.org/pipermail/centos/attachments/20130308/7317f7ad/attachment-0002.sig>