Date: Fri, 19 Aug 2011 11:21:02 -0400 From: Mike Tancsa <mike@sentex.net> To: Mark Moellering <mark@msen.com> Cc: FreeBSD <freebsd-questions@freebsd.org> Subject: Re: My server is under attack (I think) Message-ID: <4E4E7F5E.7010709@sentex.net> In-Reply-To: <4E4E7AC1.5000904@msen.com> References: <4E4E7AC1.5000904@msen.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 8/19/2011 11:01 AM, Mark Moellering wrote: > I keep seeing a flood of messages when I run dmesg -a that look like this: > > mail sshd[1831]: warning: /etc/hosts.allow, line 2: can't verify > hostname: getaddrinfo(ip223.hichina.com, AF_INET) failed > > Is there anything I should be doing to make sure the server isn't First, look at line 2 of /etc/hosts.allow. Its probably an issue of the scanning IP having a PTR record mismatch. ie. some IP has a PTR record of ip223.hichina.com, but no corresponding A record. When the attacker/scanner hits port 22 of your box, tcpwrappers (as set in /etc/hosts.allow) tries to confirm the PTR record matches the A record, but there is a mismatch, and hence the log message. Take a look at /var/log/auth.log for more info. Its generally a good idea to block all network access as a first rule, and then add specific rules to let people in to just what is needed. So if you only manage the box via ssh from a range of hosts, block all access to ssh and allow it just from those trusted locations. ---Mike -- ------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4E4E7F5E.7010709>