sshd possible breakin attempt messages

Kevin Kinsey kdk at
Mon Feb 6 09:05:00 PST 2006

Brad Gilmer wrote:

>Hello all,
>I guess one of the banes of our existance as Sys Admins 
>is that people are always pounding away at our systems 
>trying to break in.  Lately, I have been getting hit 
>with several hundred of the messages below per dayin my 
>security report output...
> login failures:
>Feb  5 11:18:17 gilmer sshd[78078]: reverse mapping checking getaddrinfo for failed - POSSIBLE BREAKIN ATTEMPT!
>Feb  5 11:18:18 gilmer sshd[78080]: reverse mapping checking getaddrinfo for failed - POSSIBLE BREAKIN ATTEMPT!
>Feb  5 11:18:20 gilmer sshd[78082]: reverse mapping checking getaddrinfo for failed - POSSIBLE BREAKIN ATTEMPT!
>I am running FreeBSD 5.4 RELEASE, and right now this 
>box is not a production machine, but I am going to be 
>taking it live fairly soon.  Questions:
>1)  Is there anything I should be doing to thwart this particular attack?

IANAE on security, but there are several possibilities.  Here are a couple
ideas from my deadbeat security brain:

     1.  edit /etc/ssh/sshd_config and make sure that only the right users
          and such are allowed to login, and via the right methods.

     2.  If the situation allows, you can wrap sshd via /etc/hosts.allow to
          only allow logins from certain IP addresses (i.e., wherever you
          intend to admin this box from).

Note that, as I mentioned, IANAE, and there is plenty of other "higher
level" security actions that can be taken to secure a box from attack.
Maybe some less-newbie-than-me guru will step up to the plate on that;
maybe not.

>2)  Given that I am on 5.4, should I upgrade my sshd or do anything else 
>at this point to make sure my machine is as secure as possible?

Check the advisories at the web site, and keep tracking
RELENG_5_4 with cvsup/buildworld, etc. to stay up to date is a good
starting point.

>3)  (Meta-question) - Should I upgrade to 6.0 before I go live to be 
>sure I am in the best possible security situation going forward?  
>Should I wait until 6.1 for bug fixes (generally I am opposed to n.0 anything).

Meta-answer, if possible from an idiot like me:  6.0 is actually a very
notable exception to the "don't grab the zero release" rule in my case.
YMMV, of course.  Last week I upgraded my last 5.X boxen to 6.X, and
I don't plan on looking back!  Now, if I could just find time to
backup/reinstall that 4.X boxen that's locked up so far away!!!


You're welcome.

Kevin Kinsey

<< WAIT >>

More information about the freebsd-questions mailing list