freebsd security - Jul 2018 - Possible break-in attempt?

On 21/07/2018 11:03, Chad Jacob Milios wrote:
>> On Jul 20, 2018, at 3:05 PM, Jamie Landeg-Jones <jamie at
catflap.org> wrote:
>>
>> Dimitry Andric <dim at freebsd.org> wrote:
>>
>>> For each incoming IP address, sshd does a reverse lookup, and if
that
>>> results in a hostname, it does another lookup of that hostname, to
see
>>> if *that* result matches the original incoming IP address.  If it
does
>>> not, you get this scary warning in syslog about a "possible
break-in
>>> attempt!".
>>>
>>> In my opinion, this is fairly misleading, since almost always the
actual
>>> cause is badly configured DNS, a very common occurrence.  In
addition,
>>> matching forward and reverse DNS records is no guarantee at all
that the
>>> incoming IP address is in any way trustworthy.
>> I'm not sure which version this made it into, but they actually
removed this
>> over 2 years ago. It's not in the openssh that ships with FreeBSD
11.2:
>>
>> | commit e690fe85750e93fca1fb7c7c8587d4130a4f7aba
>> | Author: dtucker at openbsd.org <dtucker at openbsd.org>
>> | Date:   Wed Jun 15 00:40:40 2016 +0000
>> |
>> |     upstream commit
>> |
>> |     Remove "POSSIBLE BREAK-IN ATTEMPT!" from log message
>> |     about forward and reverse DNS not matching.  We haven't
supported IP-based
>> |     auth methods for a very long time so it's now misleading. 
part of bz#2585,
>> |     ok markus@
>> |
>> |     Upstream-ID: 5565ef0ee0599b27f0bd1d3bb1f8a323d8274e29
>>
>> cheers, Jamie
> adding:
>
> UseDNS no
>
> has the added benefit of avoiding a grueling delay when YOU are the one
behind an IP address with a misconfigured reverse DNS mapping (which is horribly
common on consumer networks). It goes into /etc/ssh/sshd_config and has been
among my initial configuration to every FreeBSD box i?ve stood up for a decade.
>
> openssh-portable (in ports, produced by the paranoid fellows at OpenBSD)
has actually switched to adopt this, UseDNS no, as their default configuration
for, i think its been a couple years now. This is in addition to dropping the
message from their log output if UseDNS yes.
>
> There is no point to this foolishly alarming message. Be mindful of the
OTHER ways you must surely have in place to keep your sshd hard against attack.
>
Good to know. But the documentation says setting to no prevents from 
using DNS in known_hosts. When I look into my known_hosts I see many 
dns-only names, e.g. github.com among others.

GrzegorzJ

> On Jul 21, 2018, at 7:57 AM, Grzegorz Junka <list1 at gjunka.com>
wrote:
> On 21/07/2018 11:03, Chad Jacob Milios wrote:
>>> On Jul 20, 2018, at 3:05 PM, Jamie Landeg-Jones <jamie at
catflap.org> wrote:
>>> 
>>> Dimitry Andric <dim at freebsd.org> wrote:
>>> 
>>>> For each incoming IP address, sshd does a reverse lookup, and
if that
>>>> results in a hostname, it does another lookup of that hostname,
to see
>>>> if *that* result matches the original incoming IP address.  If
it does
>>>> not, you get this scary warning in syslog about a
"possible break-in
>>>> attempt!".
>>>> 
>>>> In my opinion, this is fairly misleading, since almost always
the actual
>>>> cause is badly configured DNS, a very common occurrence.  In
addition,
>>>> matching forward and reverse DNS records is no guarantee at all
that the
>>>> incoming IP address is in any way trustworthy.
>>> I'm not sure which version this made it into, but they actually
removed this
>>> over 2 years ago. It's not in the openssh that ships with
FreeBSD 11.2:
>>> 
>>> | commit e690fe85750e93fca1fb7c7c8587d4130a4f7aba
>>> | Author: dtucker at openbsd.org <dtucker at openbsd.org>
>>> | Date:   Wed Jun 15 00:40:40 2016 +0000
>>> |
>>> |     upstream commit
>>> |
>>> |     Remove "POSSIBLE BREAK-IN ATTEMPT!" from log
message
>>> |     about forward and reverse DNS not matching.  We haven't
supported IP-based
>>> |     auth methods for a very long time so it's now misleading.
part of bz#2585,
>>> |     ok markus@
>>> |
>>> |     Upstream-ID: 5565ef0ee0599b27f0bd1d3bb1f8a323d8274e29
>>> 
>>> cheers, Jamie
>> adding:
>> 
>> UseDNS no
>> 
>> has the added benefit of avoiding a grueling delay when YOU are the one
behind an IP address with a misconfigured reverse DNS mapping (which is horribly
common on consumer networks). It goes into /etc/ssh/sshd_config and has been
among my initial configuration to every FreeBSD box i?ve stood up for a decade.
>> 
>> openssh-portable (in ports, produced by the paranoid fellows at
OpenBSD) has actually switched to adopt this, UseDNS no, as their default
configuration for, i think its been a couple years now. This is in addition to
dropping the message from their log output if UseDNS yes.
>> 
>> There is no point to this foolishly alarming message. Be mindful of the
OTHER ways you must surely have in place to keep your sshd hard against attack.
>> 
> 
> Good to know. But the documentation says setting to no prevents from using
DNS in known_hosts. When I look into my known_hosts I see many dns-only names,
e.g. github.com among others.
> 
> GrzegorzJ
In which man page or web page are you seeing this information?