Thank you Patrick. I don't receive that many of them. Maybe a dozen or so since I've set up my server, which was a few years ago. Mostly with the same IP but sometimes different IP as well. And all those I've received so far were in the last few months. They surprise me because on the firewall the sshd is forwarded from a non-standard port (i.e. port 22 isn't open). I am interested what security precaution FreeBSD is trying to do here. Is the sshd server receiving an ssh login request from an IP, that can't be resolved back to a domain in the reverse DNS (PTR) record for that IP? On 18/07/2018 20:13, Patrick Proniewski wrote:> Hi, > > You can ignore them totally (you should), and if you can't, make sure you limit possibility of brute force attack on your sshd: > - configure a firewall to stop them > - and/or activate blacklistd on sshd > - and/or change listening port of sshd > > I get thousands of these every day, won't kill you and not worth losing your time. > >> On 18 juil. 2018, at 22:07, Grzegorz Junka <list1 at gjunka.com> wrote: >> >> Sometimes I am receiving messages like this from my server: >> >> nas.myserver.mydomain.com login failures: >> Jul 17 08:35:02 nas sshd[5994]: reverse mapping checking getaddrinfo for 162.132-254-62.static.virginmediabusiness.co.uk [62.254.132.162] failed - POSSIBLE BREAK-IN ATTEMPT! >> >> On different days they are from different IPs and they would-be mapped to different reverse dns names. How to deal with those messages/attempts? >> >> GrzegorzJ >> >> _______________________________________________ >> freebsd-security at freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-security >> To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org" >
On 18 Jul 2018, at 22:25, Grzegorz Junka <list1 at gjunka.com> wrote:> > Thank you Patrick. I don't receive that many of them. Maybe a dozen or so since I've set up my server, which was a few years ago. Mostly with the same IP but sometimes different IP as well. And all those I've received so far were in the last few months. > > They surprise me because on the firewall the sshd is forwarded from a non-standard port (i.e. port 22 isn't open). > > I am interested what security precaution FreeBSD is trying to do here. Is the sshd server receiving an ssh login request from an IP, that can't be resolved back to a domain in the reverse DNS (PTR) record for that IP?This is not specifically a FreeBSD precaution, but an upstream OpenSSH feature. OpenSSH supports hostname-based matching rules; see the "Match" keyword in sshd_config(5). For each incoming IP address, sshd does a reverse lookup, and if that results in a hostname, it does another lookup of that hostname, to see if *that* result matches the original incoming IP address. If it does not, you get this scary warning in syslog about a "possible break-in attempt!". In my opinion, this is fairly misleading, since almost always the actual cause is badly configured DNS, a very common occurrence. In addition, matching forward and reverse DNS records is no guarantee at all that the incoming IP address is in any way trustworthy. If you don't use hostname-based matching rules, and don't use "from" directives with hostnames in your authorized_keys files, you can disable the DNS lookups (and the warnings too) by setting "UseDNS no" in your sshd_config file. This is usually one of the first settings I change on any server I configure. :) -Dimitry -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 223 bytes Desc: Message signed with OpenPGP URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20180718/5933c59e/attachment.sig>
On 18 juil. 2018, at 22:25, Grzegorz Junka <list1 at gjunka.com> wrote:> > I am interested what security precaution FreeBSD is trying to do here. Is the sshd server receiving an ssh login request from an IP, that can't be resolved back to a domain in the reverse DNS (PTR) record for that IP?this is quite usual with some ISP: $ host 62.254.132.162 162.132.254.62.in-addr.arpa domain name pointer 162.132-254-62.static.virginmediabusiness.co.uk. $ host 162.132-254-62.static.virginmediabusiness.co.uk Host 162.132-254-62.static.virginmediabusiness.co.uk not found: 3(NXDOMAIN) it's not a feature of FreeBSD, it's a feature of OpenSSH. From man sshd_config: UseDNS Specifies whether sshd(8) should look up the remote host name, and to check that the resolved host name for the remote IP address maps back to the very same IP address. If this option is set to ?no?, then only addresses and not host names may be used in ~/.ssh/known_hosts from and sshd_config Match Host directives. The default is ?yes?. Patrick