Hi, I noted on my 4.7 machines that when a ssh conection is made, the following PTR query happens (10.11.1.11 is the src address in the example): 13:23:21.120290 PUBLIC_IP.4523 > PUBLIC_IP.53: 52788+ PTR? 11.1.11.10.in-addr.arpa. (41) 13:23:21.120517 PUBLIC_IP.4524 > PUBLIC_IP.53: 52788+ PTR? 11.1.11.10.in-addr.arpa. (41) 13:23:21.120683 PUBLIC_IP.4525 > PUBLIC_IP.53: 52788+ PTR? 11.1.11.10.in-addr.arpa. (41) 13:23:21.120784 PUBLIC_IP.4526 > PUBLIC_IP.53: 52788+ PTR? 11.1.11.10.in-addr.arpa. (41) This is very weird because resolv.conf points to another server. Also, the capture is from lo0. Not that I see a security problem here (just the annoyance of this filling my log_in_vain logs), but I'm curious about the reason; at least didn't find any clue looking at source. May 26 13:23:21 X /kernel: Connection attempt to UDP PUBLIC_IP:53 from PUBLIC_IP:4523 May 26 13:23:21 X /kernel: Connection attempt to UDP PUBLIC_IP:53 from PUBLIC_IP:4524 May 26 13:23:21 X /kernel: Connection attempt to UDP PUBLIC_IP:53 from PUBLIC_IP:4525 May 26 13:23:21 X /kernel: Connection attempt to UDP PUBLIC_IP:53 from PUBLIC_IP:4526 Thanks for any pointer! Regards! Fernando.
On Mon, 2003-05-26 at 18:32, Fernando Schapachnik wrote: <something about DNS lookups when SSH'ing> This is becoming a FAQ. Current OpenSSH daemons implement a feature called 'privilege seperation', which splits the daemon in two: one part running as root, the other as user 'sshd' (or whatever you define), minimalizing security threats. One disadvantage though: /etc/resolv.conf is read AFTER chroot()ing to the directory '/var/empty' (talking about OpenSSH in base). If resolv.conf can't be found there, sshd will lookup IP's via 127.0.0.1, generating those log_in_vain messages you see. How to solve? Well.. copy /etc/resolv.conf to /var/empty/etc/. Regards, Pieter
Hello Fernando, FAQ. for example see ;------- http://www.freebsd.org/cgi/search.cgi?words=sshd+resolv.conf+privsep&max=25&sort=score&index=all&source=freebsd-security ;------- (URL can be wrapped) Monday, May 26, 2003, 8:32:55 PM, you wrote: FS> Hi, FS> I noted on my 4.7 machines that when a ssh conection is made, the FS> following PTR query happens (10.11.1.11 is the src address in the example): FS> 13:23:21.120290 PUBLIC_IP.4523 > PUBLIC_IP.53: 52788+ PTR? FS> 11.1.11.10.in-addr.arpa. (41) FS> 13:23:21.120517 PUBLIC_IP.4524 > PUBLIC_IP.53: 52788+ PTR? FS> 11.1.11.10.in-addr.arpa. (41) FS> 13:23:21.120683 PUBLIC_IP.4525 > PUBLIC_IP.53: 52788+ PTR? FS> 11.1.11.10.in-addr.arpa. (41) FS> 13:23:21.120784 PUBLIC_IP.4526 > PUBLIC_IP.53: 52788+ PTR? FS> 11.1.11.10.in-addr.arpa. (41) FS> This is very weird because resolv.conf points to another server. Also, FS> the capture is from lo0. FS> Not that I see a security problem here (just the annoyance of this FS> filling my log_in_vain logs), but I'm curious about the reason; at least didn't FS> find any clue looking at source. FS> May 26 13:23:21 X /kernel: Connection attempt to UDP PUBLIC_IP:53 from PUBLIC_IP:4523 FS> May 26 13:23:21 X /kernel: Connection attempt to UDP PUBLIC_IP:53 from PUBLIC_IP:4524 FS> May 26 13:23:21 X /kernel: Connection attempt to UDP PUBLIC_IP:53 from PUBLIC_IP:4525 FS> May 26 13:23:21 X /kernel: Connection attempt to UDP PUBLIC_IP:53 from PUBLIC_IP:4526 FS> Thanks for any pointer! FS> Regards! FS> Fernando. FS> _______________________________________________ FS> freebsd-security@freebsd.org mailing list FS> http://lists.freebsd.org/mailman/listinfo/freebsd-security FS> To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" ;------------------------------------------- ; NKritsky ; mailto:nkritsky@internethelp.ru