freebsd security - Jul 2018 - Possible break-in attempt?

On 18 Jul 2018, at 22:25, Grzegorz Junka <list1 at gjunka.com>
wrote:
> 
> Thank you Patrick. I don't receive that many of them. Maybe a dozen or
so since I've set up my server, which was a few years ago. Mostly with the
same IP but sometimes different IP as well. And all those I've received so
far were in the last few months.
> 
> They surprise me because on the firewall the sshd is forwarded from a
non-standard port (i.e. port 22 isn't open).
> 
> I am interested what security precaution FreeBSD is trying to do here. Is
the sshd server receiving an ssh login request from an IP, that can't be
resolved back to a domain in the reverse DNS (PTR) record for that IP?
This is not specifically a FreeBSD precaution, but an upstream OpenSSH
feature.  OpenSSH supports hostname-based matching rules; see the
"Match" keyword in sshd_config(5).

For each incoming IP address, sshd does a reverse lookup, and if that
results in a hostname, it does another lookup of that hostname, to see
if *that* result matches the original incoming IP address.  If it does
not, you get this scary warning in syslog about a "possible break-in
attempt!".

In my opinion, this is fairly misleading, since almost always the actual
cause is badly configured DNS, a very common occurrence.  In addition,
matching forward and reverse DNS records is no guarantee at all that the
incoming IP address is in any way trustworthy.

If you don't use hostname-based matching rules, and don't use
"from"
directives with hostnames in your authorized_keys files, you can disable
the DNS lookups (and the warnings too) by setting "UseDNS no" in your
sshd_config file.

This is usually one of the first settings I change on any server I
configure. :)

-Dimitry

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 223 bytes
Desc: Message signed with OpenPGP
URL:
<http://lists.freebsd.org/pipermail/freebsd-security/attachments/20180718/5933c59e/attachment.sig>

Thank you Patrick, Simon and Dimitry for a quick follow up and the 
explanation.

Is it possible to figure out which parts of the security run output 
emails are produced by which tools (I assume that each part is a 
separate check)? Could be useful to know when checking other messages in 
that email. Is there some kind of email template or script that 
generates these emails?
GrzegorzJ

Dimitry Andric <dim at freebsd.org> wrote:
> For each incoming IP address, sshd does a reverse lookup, and if that
> results in a hostname, it does another lookup of that hostname, to see
> if *that* result matches the original incoming IP address.  If it does
> not, you get this scary warning in syslog about a "possible break-in
> attempt!".
>
> In my opinion, this is fairly misleading, since almost always the actual
> cause is badly configured DNS, a very common occurrence.  In addition,
> matching forward and reverse DNS records is no guarantee at all that the
> incoming IP address is in any way trustworthy.
I'm not sure which version this made it into, but they actually removed this
over 2 years ago. It's not in the openssh that ships with FreeBSD 11.2:

 | commit e690fe85750e93fca1fb7c7c8587d4130a4f7aba
 | Author: dtucker at openbsd.org <dtucker at openbsd.org>
 | Date:   Wed Jun 15 00:40:40 2016 +0000
 |
 |     upstream commit
 |
 |     Remove "POSSIBLE BREAK-IN ATTEMPT!" from log message
 |     about forward and reverse DNS not matching.  We haven't supported
IP-based
 |     auth methods for a very long time so it's now misleading.  part of
bz#2585,
 |     ok markus@
 |
 |     Upstream-ID: 5565ef0ee0599b27f0bd1d3bb1f8a323d8274e29

cheers, Jamie