Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 19 Aug 2011 11:21:02 -0400
From:      Mike Tancsa <>
To:        Mark Moellering <>
Cc:        FreeBSD <>
Subject:   Re: My server is under attack (I think)
Message-ID:  <>
In-Reply-To: <>
References:  <>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On 8/19/2011 11:01 AM, Mark Moellering wrote:
> I keep seeing a flood of messages when I run dmesg -a that look like this:
> mail sshd[1831]: warning: /etc/hosts.allow, line 2: can't verify
> hostname: getaddrinfo(, AF_INET) failed
> Is there anything I should be doing to make sure the server isn't

First, look at line 2 of /etc/hosts.allow.  Its probably an issue of the
scanning IP having a PTR record mismatch. ie. some IP has a PTR record
of, but no corresponding A record. When the
attacker/scanner hits port 22 of your box, tcpwrappers (as set in
/etc/hosts.allow) tries to confirm the PTR record matches the A record,
but there is a mismatch, and hence the log message.  Take a look at
/var/log/auth.log for more info.

Its generally a good idea to block all network access as a first rule,
and then add specific rules to let people in to just what is needed. So
if you only manage the box via ssh from a range of hosts, block all
access to ssh and allow it just from those trusted locations.


Mike Tancsa, tel +1 519 651 3400
Sentex Communications,
Providing Internet services since 1994
Cambridge, Ontario Canada

Want to link to this message? Use this URL: <>