CentOS 5 Sshd Does Not Log IP Address Of Reverse Mapping Failure

Home » CentOS » CentOS 5 Sshd Does Not Log IP Address Of Reverse Mapping Failure
CentOS 10 Comments

I’m running a mix of CentOS 5 and 6 servers reachable by ssh from the Internet. Of course I allow only public key authentication and no root login. In addition I’m running fail2ban to block obnoxious brute force attack sources.

On CentOS 6 this is working pretty well, but on CentOS 5 there’s one class of attacks fail2ban fails to ban. (No pun intended.) This isn’t fail2ban’s fault, but openssh’s. When the source IP
address of a failed attempt fails the reverse mapping check, CentOS 6 (openssh-server-5.3p1-81.el6_3.x86_64) logs:

Mar 3 04:06:34 posthamster sshd[1718]: reverse mapping checking getaddrinfo for hn.ly.kd.adsl [61.163.113.72] failed – POSSIBLE BREAK-IN ATTEMPT! from which fail2ban can pick up and block IP address 61.163.113.72 just fine. CentOS 5 (openssh-server-4.3p2-82.el5) OTOH logs:

Mar 3 04:44:48 gimli sshd[12870]: reverse mapping checking getaddrinfo for hn.ly.kd.adsl failed – POSSIBLE BREAK-IN ATTEMPT! without the IP address. The name is of no use because sshd just confirmed that it doesn’t really correspond to the attacker’s IP address.

Any ideas how to remedy that situation?

10 thoughts on - CentOS 5 Sshd Does Not Log IP Address Of Reverse Mapping Failure

  • Am 06.03.2013 19:20, schrieb Gordon Messmer:

    Trouble is, I don’t:

    Feb 8 00:03:09 dns01 sshd[6119]: reverse mapping checking getaddrinfo for mbl-99-61-82.dsl.net.pk failed – POSSIBLE BREAK-IN ATTEMPT!
    Feb 8 00:03:10 dns01 sshd[6120]: Disconnecting: Too many authentication failures for root Feb 8 00:03:19 dns01 sshd[6121]: reverse mapping checking getaddrinfo for mbl-99-61-82.dsl.net.pk failed – POSSIBLE BREAK-IN ATTEMPT!
    Feb 8 00:03:20 dns01 sshd[6122]: Disconnecting: Too many authentication failures for root Feb 8 00:03:22 dns01 sshd[6123]: reverse mapping checking getaddrinfo for mbl-99-61-82.dsl.net.pk failed – POSSIBLE BREAK-IN ATTEMPT!
    Feb 8 00:03:23 dns01 sshd[6124]: Disconnecting: Too many authentication failures for root
    […]

    And at the end of the day, logwatch tells me:

    ——————— SSHD Begin ———————-

  • You could deny all by default and only allow your locations in tcp_wrappers.

    Add this to /etc/hosts.deny:

    sshd: ALL

    And this to /etc/hosts.allow

    sshd: 12.34.56.78 your.ip.here 123. 12.34.

    I exaggerated the spaces. You’d still get the failures in your logs, but access to the service won’t be granted as it wouldn’t match the allow.

    checking checking

  • Am 07.03.2013 19:07, schrieb Michael Krug:

    Can’t do that. People must be able to SSH in from dynamic IPs.

  • Am 07.03.2013 19:49, schrieb Les Mikesell:

    Not really. That seems to remove the “reverse mapping checking failed”
    messages (assuming there were the usual number of such attempts after I set that option), but IP addresses for failed logins to existing users are never logged. The log contains just:

    sshd[27912]: Disconnecting: Too many authentication failures for root

    In contrast, log entries for login attempts with non-existing user names do contain the source IP address:

    sshd[30576]: Invalid user condor from 62.201.70.8

    But this is true on both CentOS 5 and 6, so it’s apparently the way OpenSSH decided to do things, and cannot be remedied by the distribution.

  • Sure, but as you’ve noticed, logging the reverse-DNS isn’t particularly useful there. Turn it off and you should get the number in the logs.

  • Am 08.03.2013 15:50, schrieb Reindl Harald:
    […]

    How do you know? I saw no logon from you on the machine I tested this on. :-)

    For failed login attempts to existing usernames? Can you share a log entry? That would give me hope that it’s just a configuration issue.

    Thanks, Tilman

  • Am 08.03.2013 17:40, schrieb Reindl Harald:

    Tsk, tsk. Language!

    If you had actually read the thread before replying you might have noticed that it is not about these messages at all. These are messages about invalid users. I already wrote that I get these too, complete with IP addresses, even before putting in “UseDNS no”. My question is about these:

    Feb 10 13:32:41 dns01 sshd[16161]: Disconnecting: Too many authentication failures for root Feb 10 13:32:45 dns01 sshd[16163]: Disconnecting: Too many authentication failures for root Feb 10 13:32:48 dns01 sshd[16165]: Disconnecting: Too many authentication failures for root Feb 10 13:32:53 dns01 sshd[16167]: Disconnecting: Too many authentication failures for root Feb 10 13:32:55 dns01 sshd[16169]: Disconnecting: Too many authentication failures for root Feb 10 13:32:59 dns01 sshd[16171]: Disconnecting: Too many authentication failures for root Feb 10 13:33:02 dns01 sshd[16173]: Disconnecting: Too many authentication failures for root Feb 10 13:33:05 dns01 sshd[16175]: Disconnecting: Too many authentication failures for root Feb 10 13:33:08 dns01 sshd[16177]: Disconnecting: Too many authentication failures for root Feb 10 13:33:11 dns01 sshd[16179]: Disconnecting: Too many authentication failures for root

    Do you have log entries with IP addresses for these?

    Oh, before you ask, the sshd which logged these runs of course with

    PermitRootLogin no PasswordAuthentication no

    Notice the subject line? How it says “CentOS 5”? That was deliberate.

  • Are you watching the messages or secure log?

    # cat /etc/redhat-release CentOS release 5.8 (Final)
    # tail -f /var/log/secure Mar 8 11:46:54 firewall sshd[27455]: pam_unix(sshd:auth):
    authentication failure; logname= uid=0 euid=0 tty=ssh ruserrhost3-xx-xx-xx-washington.hfc.comcastbusiness.net user=root Mar 8 11:46:56 firewall sshd[27455]: Failed password for root from
    173.xx.xx.xx port 51437 ssh2

    The standard configuration should be logging the IP address of failed logins.

    I don’t think I have access to any hosts where the reverse lookup is broken, so I’m not sure if what you’re seeing is a result of a logging bug related to PTR mismatch, or what.

LEAVE A COMMENT