freebsd security - Jul 2018 - Possible break-in attempt?

Dimitry Andric <dim at freebsd.org> wrote:
> For each incoming IP address, sshd does a reverse lookup, and if that
> results in a hostname, it does another lookup of that hostname, to see
> if *that* result matches the original incoming IP address.  If it does
> not, you get this scary warning in syslog about a "possible break-in
> attempt!".
>
> In my opinion, this is fairly misleading, since almost always the actual
> cause is badly configured DNS, a very common occurrence.  In addition,
> matching forward and reverse DNS records is no guarantee at all that the
> incoming IP address is in any way trustworthy.
I'm not sure which version this made it into, but they actually removed this
over 2 years ago. It's not in the openssh that ships with FreeBSD 11.2:

 | commit e690fe85750e93fca1fb7c7c8587d4130a4f7aba
 | Author: dtucker at openbsd.org <dtucker at openbsd.org>
 | Date:   Wed Jun 15 00:40:40 2016 +0000
 |
 |     upstream commit
 |
 |     Remove "POSSIBLE BREAK-IN ATTEMPT!" from log message
 |     about forward and reverse DNS not matching.  We haven't supported
IP-based
 |     auth methods for a very long time so it's now misleading.  part of
bz#2585,
 |     ok markus@
 |
 |     Upstream-ID: 5565ef0ee0599b27f0bd1d3bb1f8a323d8274e29

cheers, Jamie

> On Jul 20, 2018, at 3:05 PM, Jamie Landeg-Jones <jamie at
catflap.org> wrote:
> 
> Dimitry Andric <dim at freebsd.org> wrote:
> 
>> For each incoming IP address, sshd does a reverse lookup, and if that
>> results in a hostname, it does another lookup of that hostname, to see
>> if *that* result matches the original incoming IP address.  If it does
>> not, you get this scary warning in syslog about a "possible
break-in
>> attempt!".
>> 
>> In my opinion, this is fairly misleading, since almost always the
actual
>> cause is badly configured DNS, a very common occurrence.  In addition,
>> matching forward and reverse DNS records is no guarantee at all that
the
>> incoming IP address is in any way trustworthy.
> 
> I'm not sure which version this made it into, but they actually removed
this
> over 2 years ago. It's not in the openssh that ships with FreeBSD 11.2:
> 
> | commit e690fe85750e93fca1fb7c7c8587d4130a4f7aba
> | Author: dtucker at openbsd.org <dtucker at openbsd.org>
> | Date:   Wed Jun 15 00:40:40 2016 +0000
> |
> |     upstream commit
> |
> |     Remove "POSSIBLE BREAK-IN ATTEMPT!" from log message
> |     about forward and reverse DNS not matching.  We haven't supported
IP-based
> |     auth methods for a very long time so it's now misleading.  part
of bz#2585,
> |     ok markus@
> |
> |     Upstream-ID: 5565ef0ee0599b27f0bd1d3bb1f8a323d8274e29
> 
> cheers, Jamie
adding:

UseDNS no

has the added benefit of avoiding a grueling delay when YOU are the one behind
an IP address with a misconfigured reverse DNS mapping (which is horribly common
on consumer networks). It goes into /etc/ssh/sshd_config and has been among my
initial configuration to every FreeBSD box i?ve stood up for a decade.

openssh-portable (in ports, produced by the paranoid fellows at OpenBSD) has
actually switched to adopt this, UseDNS no, as their default configuration for,
i think its been a couple years now. This is in addition to dropping the message
from their log output if UseDNS yes.

There is no point to this foolishly alarming message. Be mindful of the OTHER
ways you must surely have in place to keep your sshd hard against attack.

-CJ