Hello all, My logs get filled with bogus SSH connection attemps which I'd expect should have been denied without logging, so a couple of observations. Syslog has lots of entries like: Aug 29 02:23:31 otso sshd[21000]: reverse mapping checking getaddrinfo for powered.by.e-leven.be [78.110.207.104] failed - POSSIBLE BREAK-IN ATTEMPT! Aug 29 02:23:31 otso sshd[21000]: Invalid user upload from 78.110.207.104 and these also show as multiple 'lastb' entries in btmp: upload ssh:notty 78.110.207.104 Wed Aug 29 02:23 - 02:23 (00:00) upload ssh:notty 78.110.207.104 Wed Aug 29 02:23 - 02:23 (00:00) upload ssh:notty 78.110.207.104 Wed Aug 29 02:23 - 02:23 (00:00) upload ssh:notty 78.110.207.104 Wed Aug 29 02:23 - 02:23 (00:00) upload ssh:notty 78.110.207.104 Wed Aug 29 02:23 - 02:23 (00:00) upload ssh:notty 78.110.207.104 Wed Aug 29 02:23 - 02:23 (00:00) ... This is a bit unexpected for two reasons: AllowUsers directive exists and these users aren't listed there, and PasswordAuthentication is disabled for them [1]. Yet they clutter the logs. Looking at the code, it seems that the getaddrinfo failures don't seem to result in the connection being rejected, even though the man page would seem to indicate so[2] though is not explicit about it. It also seems that the possible authentication methods are only checked (do_authloop in SSH1) after it has been verified whether the user exists (causing these log messages). Likewise, in auth.c getpwnam() is executed for the attempted user even if the user is not listed in AllowUsers. Would it make sense to check the usernames and hosts later, avoiding unnecessary log clutter? Or is all of this intentional and due to trying to avoid being able to use SSH to divulge whether a user is allowed to log in or not? [1] config is substantially as follows: ==8<==Protocol 2,1 AllowUsers foo bar PasswordAuthentication no Match Host *.fi PasswordAuthentication yes Match Host 2002:* PasswordAuthentication yes ==8<== [2] UseDNS Specifies whether sshd(8) should look up the remote host name and check that the resolved host name for the remote IP address maps back to the very same IP address. The default is "yes". -- Pekka Savola "You each name yourselves king, yet the Netcore Oy kingdom bleeds." Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings