From owner-freebsd-security@freebsd.org Wed Jul 18 20:58:38 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9820D1033348 for ; Wed, 18 Jul 2018 20:58:38 +0000 (UTC) (envelope-from patpro@patpro.net) Received: from rack.patpro.net (rack.patpro.net [193.30.227.216]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "patpro.net", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 234CA8CCF1 for ; Wed, 18 Jul 2018 20:58:38 +0000 (UTC) (envelope-from patpro@patpro.net) Received: from cassandre.patpro.net (boleskine.patpro.net [82.230.142.222]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by rack.patpro.net (Postfix) with ESMTPSA id 5E00F2077; Wed, 18 Jul 2018 22:58:36 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=patpro.net; s=201806-ee6b3be7; t=1531947516; bh=Oj0g9azBg7ukQoTeNMnqEjwGtMDFjGWFPZgUTXyayQY=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=HwkSbkFMzStnYjS/eBaOl4uNRurf/yoMP2MyMDxPeHHK5MLUmIrFshOs+7HrCsqAC wGikhC0NRK7L94uSWbXBfCq4TP9DWuuKma1rXzAh6dtoLkvb31QoTUu6xAy2KiNedT 4VuthiyCAXtVZ4snC98MUc7++ITUIXiyXEDAp7BNm8Op1Ko5XyBwSNL3dJXaQCAt5o zYoaxMIFWFZ1ofFK/uFqt8fraaAp6jVGfIwv8i80bZSwtuLjvJvjiaYoVP1UK39kQf kVKevwHbSQw/LaG5pjVs85HY2AaqE/3Y5cGA5TkN2yUVUecMPZjxKatU1HBER01NqC BAGd7iytBmOrsogM0eQL0IEUhLtIpvv7kMlkKS4wf+G+70C1m5qr0wW8YcxOgKxeqP JDG5qiJ7WhjEWT54x+dAY1KdI0q7RvpIlgyDpgjcoJhGco333l6M62TJxtPtwLGAa3 hcD4qV+Wq1u6kl5eoQJUc5+IKQQUh/Bad3MN6kOB3qGDlklvw3rDh6qj4863yMXwIG NOtWJmfaPzOZ4TFb18oTztcJobo50KoDhPxjLArNHhtoJ9TX41+3/y4NQa7x4FIlBB 3ulFvXBHDXMWv0cvyBMsaierneqrPra+XGMxF7g5BFrOi2UqHE7L81siJxxSj/q1Zi G2KQtsOau6cCWevjjz3xh6YM= Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\)) Subject: Re: Possible break-in attempt? From: Patrick Proniewski In-Reply-To: Date: Wed, 18 Jul 2018 22:58:35 +0200 Cc: freebsd-security@freebsd.org Content-Transfer-Encoding: quoted-printable Message-Id: <4DFA0BF5-1CF0-4100-9743-E011E5097B7E@patpro.net> References: <594ba84b-0691-8471-4bd4-076d0ae3da98@gjunka.com> <368EABCF-A10A-49E9-9473-7753F6BEAA50@patpro.net> To: Grzegorz Junka X-Mailer: Apple Mail (2.3124) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Jul 2018 20:58:38 -0000 On 18 juil. 2018, at 22:25, Grzegorz Junka wrote: >=20 > I am interested what security precaution FreeBSD is trying to do here. = Is the sshd server receiving an ssh login request from an IP, that can't = be resolved back to a domain in the reverse DNS (PTR) record for that = IP? this is quite usual with some ISP: $ host 62.254.132.162 162.132.254.62.in-addr.arpa domain name pointer = 162.132-254-62.static.virginmediabusiness.co.uk. $ host 162.132-254-62.static.virginmediabusiness.co.uk Host 162.132-254-62.static.virginmediabusiness.co.uk not found: = 3(NXDOMAIN) it's not a feature of FreeBSD, it's a feature of OpenSSH.=20 =46rom man sshd_config: UseDNS Specifies whether sshd(8) should look up the remote host = name, and to check that the resolved host name for the remote IP address maps back to the very same IP address. If this option is set to =E2=80=9Cno=E2=80=9D, then only = addresses and not host names may be used in ~/.ssh/known_hosts from and = sshd_config Match Host directives. The default is =E2=80=9Cyes=E2=80=9D.= Patrick=