8 Apr
2013
8 Apr
'13
10:22 a.m.
Hi,
A post by Andy Bennett made me read an article by Marcus Ranum. This made
me analyse log files on my vps and I came accross two lines like below
Apr 2 00:59:34 hermann sshd[20368]: reverse mapping checking getaddrinfo
for isjhr-nxt.eduhr.ro [193.231.42.110] failed - POSSIBLE BREAK-IN ATTEMPT!
Apr 2 00:59:34 hermann sshd[20368]: Invalid user oracle from 193.231.42.110
Is my understanding of these log entries correct? The first line says that
someone ssh-ed me from a domain isjhr-nxt.eduhr.ro but this domain does not
map to 193.231.42.110. The second line says that this person (programm)
tried semething like "ssh oracle(a)my.vps"quot;. Moreover, I do not have to worry
about such entries.
Cheers,
Sam
PS: I changed my real hostname to hermann cause I found that name funny
when I watched Inglorious Bastards.
--
Samuel Bächler
Obere Bläsistrasse 1
8049 Zürich
Web: boeser.ch
Tel: +41(0)43 817 46 28
Mob: +41(0)79 478 49 42
8 Apr
8 Apr
10:34 a.m.
Hi Sam,
On Mon, Apr 08, 2013 at 12:22:27PM +0200, Samuel Bächler wrote:
Apr 2 00:59:34 hermann sshd[20368]: reverse mapping
checking getaddrinfo
for isjhr-nxt.eduhr.ro [193.231.42.110] failed - POSSIBLE BREAK-IN ATTEMPT!
Apr 2 00:59:34 hermann sshd[20368]: Invalid user oracle from 193.231.42.110
Is my understanding of these log entries correct? The first line says that
someone ssh-ed me from a domain isjhr-nxt.eduhr.ro but this domain does not
map to 193.231.42.110.
Not quite. The reverse of 193.231.42.110 is isjhr-nxt.eduhr.ro:
$ dig +noall +answer -x 193.231.42.110
110.42.231.193.in-addr.arpa. 10731 IN PTR ISJhr-nxt.eduhr.ro.
But there is no matching A or AAAA record for ISJhr-nxt.eduhr.ro:
$ dig +noall +answer -t a ISJhr-nxt.eduhr.ro
$ dig +noall +answer -t aaaa ISJhr-nxt.eduhr.ro
$
Bear in mind that the two parts of the DNS here are often under the
control of two different sets of people. For example, as a BitFolk
customer you can set your reverse DNS to whatever you like, say
fbi.gov. But since you (probably) have no access to fbi.gov DNS zone
you cannot add matching A/AAAA records that point to your VPS.
sshd is warning you not to believe the supplied "ISJhr-nxt.eduhr.ro"
because lacking the matching A/AAAA records it is possible that they
just made it up in the hope that you have some sort of DNS-based
access control.
SSH access control doesn't work like that so you don't need to worry
about that.
The second line says that this person (programm) tried
semething
like "ssh oracle(a)my.vps"quot;.
Yes, and it is an invalid user presumably because that user does not
exist on your VPS.
Moreover, I do not have to worry about such entries.
Yes, unless they guess a user name that does exist and that user
name belongs to someone who may set a weak password.
Cheers,
Andy
--
http://bitfolk.com/ -- No-nonsense VPS hosting
I'd be interested to hear any (even two word)
reviews of their sofas…
Provides seating. — Andy Davidson
6:11 p.m.
Thank you, Andy.
2013/4/8 Andy Smith <andy(a)bitfolk.com>
Hi Sam,
On Mon, Apr 08, 2013 at 12:22:27PM +0200, Samuel Bächler wrote:
--
Samuel Bächler
Obere Bläsistrasse 1
8049 Zürich
Web: boeser.ch
Tel: +41(0)43 817 46 28
Mob: +41(0)79 478 49 42
Apr 2 00:59:34 hermann sshd[20368]: reverse
mapping checking getaddrinfo
for isjhr-nxt.eduhr.ro [193.231.42.110] failed - POSSIBLE BREAK-IN
ATTEMPT!
Apr 2 00:59:34 hermann sshd[20368]: Invalid user
oracle from
193.231.42.110
Is my understanding of these log entries correct? The first line says
that
someone ssh-ed me from a domain
isjhr-nxt.eduhr.ro but this domain does
not
map to 193.231.42.110.
Not quite. The reverse of 193.231.42.110 is isjhr-nxt.eduhr.ro:
$ dig +noall +answer -x 193.231.42.110
110.42.231.193.in-addr.arpa. 10731 IN PTR ISJhr-nxt.eduhr.ro.
But there is no matching A or AAAA record for ISJhr-nxt.eduhr.ro:
$ dig +noall +answer -t a ISJhr-nxt.eduhr.ro
$ dig +noall +answer -t aaaa ISJhr-nxt.eduhr.ro
$
Bear in mind that the two parts of the DNS here are often under the
control of two different sets of people. For example, as a BitFolk
customer you can set your reverse DNS to whatever you like, say
fbi.gov. But since you (probably) have no access to fbi.gov DNS zone
you cannot add matching A/AAAA records that point to your VPS.
sshd is warning you not to believe the supplied "ISJhr-nxt.eduhr.ro"
because lacking the matching A/AAAA records it is possible that they
just made it up in the hope that you have some sort of DNS-based
access control.
SSH access control doesn't work like that so you don't need to worry
about that.
The second line says that this person (programm)
tried semething
like "ssh oracle(a)my.vps"quot;.
Yes, and it is an invalid user presumably because that user does not
exist on your VPS.
Moreover, I do not have to worry about such
entries.
Yes, unless they guess a user name that does exist and that user
name belongs to someone who may set a weak password.
Cheers,
Andy
--
http://bitfolk.com/ -- No-nonsense VPS hosting
I'd be interested to hear any (even two word)
reviews of their sofas…
Provides seating. — Andy Davidson
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEAREDAAYFAlFinSoACgkQIJm2TL8VSQuwaQCg0RiswpuORsWEhDR1ECbhFym/
S8kAoIMIsJRNx3SVur4bISpyGfdUoge2
=3WAm
-----END PGP SIGNATURE-----
_______________________________________________
users mailing list
users(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/users
4284
days inactive
4284
days old
2 comments
2 participants
participants (2)
-
Andy Smith -
Samuel Bächler