From owner-freebsd-questions@FreeBSD.ORG Fri Aug 19 15:20:54 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6B8361065673 for ; Fri, 19 Aug 2011 15:20:54 +0000 (UTC) (envelope-from mike@sentex.net) Received: from smarthost1.sentex.ca (smarthost1-6.sentex.ca [IPv6:2607:f3e0:0:1::12]) by mx1.freebsd.org (Postfix) with ESMTP id 2FE828FC14 for ; Fri, 19 Aug 2011 15:20:54 +0000 (UTC) Received: from [IPv6:2607:f3e0:0:4:f025:8813:7603:7e4a] (saphire3.sentex.ca [IPv6:2607:f3e0:0:4:f025:8813:7603:7e4a]) by smarthost1.sentex.ca (8.14.4/8.14.4) with ESMTP id p7JFKq9N085468; Fri, 19 Aug 2011 11:20:52 -0400 (EDT) (envelope-from mike@sentex.net) Message-ID: <4E4E7F5E.7010709@sentex.net> Date: Fri, 19 Aug 2011 11:21:02 -0400 From: Mike Tancsa Organization: Sentex Communications User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20101207 Thunderbird/3.1.7 MIME-Version: 1.0 To: Mark Moellering References: <4E4E7AC1.5000904@msen.com> In-Reply-To: <4E4E7AC1.5000904@msen.com> X-Enigmail-Version: 1.1.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.71 on IPv6:2607:f3e0:0:1::12 Cc: FreeBSD Subject: Re: My server is under attack (I think) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Aug 2011 15:20:54 -0000 On 8/19/2011 11:01 AM, Mark Moellering wrote: > I keep seeing a flood of messages when I run dmesg -a that look like this: > > mail sshd[1831]: warning: /etc/hosts.allow, line 2: can't verify > hostname: getaddrinfo(ip223.hichina.com, AF_INET) failed > > Is there anything I should be doing to make sure the server isn't First, look at line 2 of /etc/hosts.allow. Its probably an issue of the scanning IP having a PTR record mismatch. ie. some IP has a PTR record of ip223.hichina.com, but no corresponding A record. When the attacker/scanner hits port 22 of your box, tcpwrappers (as set in /etc/hosts.allow) tries to confirm the PTR record matches the A record, but there is a mismatch, and hence the log message. Take a look at /var/log/auth.log for more info. Its generally a good idea to block all network access as a first rule, and then add specific rules to let people in to just what is needed. So if you only manage the box via ssh from a range of hosts, block all access to ssh and allow it just from those trusted locations. ---Mike -- ------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/