Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 19 Aug 2011 11:21:02 -0400
From:      Mike Tancsa <mike@sentex.net>
To:        Mark Moellering <mark@msen.com>
Cc:        FreeBSD <freebsd-questions@freebsd.org>
Subject:   Re: My server is under attack (I think)
Message-ID:  <4E4E7F5E.7010709@sentex.net>
In-Reply-To: <4E4E7AC1.5000904@msen.com>
References:  <4E4E7AC1.5000904@msen.com>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On 8/19/2011 11:01 AM, Mark Moellering wrote:
> I keep seeing a flood of messages when I run dmesg -a that look like this:
> 
> mail sshd[1831]: warning: /etc/hosts.allow, line 2: can't verify
> hostname: getaddrinfo(ip223.hichina.com, AF_INET) failed
> 
> Is there anything I should be doing to make sure the server isn't

First, look at line 2 of /etc/hosts.allow.  Its probably an issue of the
scanning IP having a PTR record mismatch. ie. some IP has a PTR record
of ip223.hichina.com, but no corresponding A record. When the
attacker/scanner hits port 22 of your box, tcpwrappers (as set in
/etc/hosts.allow) tries to confirm the PTR record matches the A record,
but there is a mismatch, and hence the log message.  Take a look at
/var/log/auth.log for more info.

Its generally a good idea to block all network access as a first rule,
and then add specific rules to let people in to just what is needed. So
if you only manage the box via ssh from a range of hosts, block all
access to ssh and allow it just from those trusted locations.


	---Mike

-- 
-------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike@sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada   http://www.tancsa.com/



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?4E4E7F5E.7010709>