conf/103215: "security run output" info flooded with pointless warnings

Stefan `Sec` Zehl sec at 42.org
Wed Sep 13 03:10:56 PDT 2006 

>Number:         103215
>Category:       conf
>Synopsis:       "security run output" info flooded with pointless warnings
>Confidential:   no
>Severity:       critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Wed Sep 13 10:10:22 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator:     Stefan `Sec` Zehl
>Release:        FreeBSD 5.5-STABLE i386
>Organization:
>Environment:
System: FreeBSD ice 5.5-STABLE FreeBSD 5.5-STABLE #31: Thu Jun 1 19:05:49 CEST 2006 root at ice:/export/obj/export/src/sys/ICE i386


>Description:

The "daily security output" on every internet-connected machine I own is filled with pointless ssh warnings like these:

Sep 12 07:00:46 ice sshd[33728]: reverse mapping checking getaddrinfo for \
221-13 4-109-162.sify.net failed - POSSIBLE BREAKIN ATTEMPT!

These warnings are not only wrong (these are simply misconfigured scanner
hosts) but more importantly, these warnings are not in any way aggregated or
rate-limited. This means that every "daily security run output" is filled with
these messages to the point that any other (possibly way more important) output
is masked. You are not able to see _important_ events on a glance any more.

Mass-Warning on unimportant events like this only serves to propagate
warning-fatigue to the point that people stop reading these reports.

	
>How-To-Repeat:

Run FreeBSD on an internet-connected machine. Have ssh open.
	
>Fix:

	

I personally would simply disable the pointless warning in sshd with the patch at the bottom. But if necessary, I can provide a patch for the daily security script to simply ignore that warning.

A last possibility would be to aggregate these lines into a single one.

--- /usr/src/crypto/openssh/canohost.c.org	Tue Apr 20 11:46:39 2004
+++ /usr/src/crypto/openssh/canohost.c	Wed Sep 13 11:46:09 2006
@@ -102,8 +102,6 @@
 	hints.ai_family = from.ss_family;
 	hints.ai_socktype = SOCK_STREAM;
 	if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
-		logit("reverse mapping checking getaddrinfo for %.700s "
-		    "failed - POSSIBLE BREAKIN ATTEMPT!", name);
 		return xstrdup(ntop);
 	}
 	/* Look for the address from the list of addresses. */


>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list