Date: Sun, 2 Jun 2002 11:34:09 -0700 From: "Crist J. Clark" <crist.clark@attbi.com> To: Drew Tomlinson <drew@mykitchentable.net> Cc: security@FreeBSD.ORG Subject: Re: Security Messages re: hosts.allow? Message-ID: <20020602113409.F20911@blossom.cjclark.org> In-Reply-To: <007e01c20a47$7fabb370$1b01a8c0@TAGALONG>; from drew@mykitchentable.net on Sun, Jun 02, 2002 at 08:09:31AM -0700 References: <007e01c20a47$7fabb370$1b01a8c0@TAGALONG>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Jun 02, 2002 at 08:09:31AM -0700, Drew Tomlinson wrote:
> I found the following in my daily security email:
>
> blacklamb.mykitchentable.net kernel log messages:
> > Jun 1 01:33:15 blacklamb sshd[30021]: warning: /etc/hosts.allow,
> line 23: host name/address mismatch: 210.59.224.42 !=
> server1.camelweb.com.tw
> > Jun 1 01:33:15 blacklamb sshd[30022]: warning: /etc/hosts.allow,
> line 23: host name/address mismatch: 210.59.224.42 !=
> server1.camelweb.com.tw
>
> I checked my hosts.allow file and line 23 is the default:
>
> ALL : ALL : allow
>
> I have not changed hosts.allow from the default. What do the above
> messages mean and what should I do about them (if anything)?
It means that site has some pretty wacked out DNS entries for those
entities,
server1.camelweb.com.tw. 23h59m43s IN CNAME dns.camelweb.com.tw.
server1.camelweb.com.tw. 23h59m43s IN A 210.59.224.44
dns.camelweb.com.tw. 22h47m42s IN A 210.59.224.42
42.224.59.210.in-addr.arpa. 9h1m47s IN PTR server1.camelweb.com.tw.
But from the looks of it, these DNS entries themselves do not look
malicious.
--
Crist J. Clark | cjclark@alum.mit.edu
| cjclark@jhu.edu
http://people.freebsd.org/~cjc/ | cjc@freebsd.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020602113409.F20911>