8 Apr
2013
8 Apr
'13
10:34 a.m.
Hi Sam,
On Mon, Apr 08, 2013 at 12:22:27PM +0200, Samuel Bächler wrote:
Apr 2 00:59:34 hermann sshd[20368]: reverse mapping
checking getaddrinfo
for isjhr-nxt.eduhr.ro [193.231.42.110] failed - POSSIBLE BREAK-IN ATTEMPT!
Apr 2 00:59:34 hermann sshd[20368]: Invalid user oracle from 193.231.42.110
Is my understanding of these log entries correct? The first line says that
someone ssh-ed me from a domain isjhr-nxt.eduhr.ro but this domain does not
map to 193.231.42.110.
Not quite. The reverse of 193.231.42.110 is isjhr-nxt.eduhr.ro:
$ dig +noall +answer -x 193.231.42.110
110.42.231.193.in-addr.arpa. 10731 IN PTR ISJhr-nxt.eduhr.ro.
But there is no matching A or AAAA record for ISJhr-nxt.eduhr.ro:
$ dig +noall +answer -t a ISJhr-nxt.eduhr.ro
$ dig +noall +answer -t aaaa ISJhr-nxt.eduhr.ro
$
Bear in mind that the two parts of the DNS here are often under the
control of two different sets of people. For example, as a BitFolk
customer you can set your reverse DNS to whatever you like, say
fbi.gov. But since you (probably) have no access to fbi.gov DNS zone
you cannot add matching A/AAAA records that point to your VPS.
sshd is warning you not to believe the supplied "ISJhr-nxt.eduhr.ro"
because lacking the matching A/AAAA records it is possible that they
just made it up in the hope that you have some sort of DNS-based
access control.
SSH access control doesn't work like that so you don't need to worry
about that.
The second line says that this person (programm) tried
semething
like "ssh oracle(a)my.vps"quot;.
Yes, and it is an invalid user presumably because that user does not
exist on your VPS.
Moreover, I do not have to worry about such entries.
Yes, unless they guess a user name that does exist and that user
name belongs to someone who may set a weak password.
Cheers,
Andy
--
http://bitfolk.com/ -- No-nonsense VPS hosting
I'd be interested to hear any (even two word)
reviews of their sofas…
Provides seating. — Andy Davidson