I recently built a new machine with
FreeBSD 6.0. I began noticing problems with remote SSH. I could ssh to the machine from some locations, but not others. I took a look at the /var/log/auth.log and saw:
Jan 10 10:44:18 lenny sshd[34901]: warning: /etc/hosts.allow, line 35: can't verify hostname: getaddrinfo(ppp-xxx-xxx-xxx-xxx.ded.pacbell.net, AF_INET) failed
Jan 10 10:44:38 lenny sshd[34901]: refused connect from xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx)I did some digging on
Google, and realized I should look at the line being mentioned in the log error.
Line 35 (and a couple lines prior) from /etc/hosts.allow:
# Protect against simple DNS spoofing attacks by checking that the
# forward and reverse records for the remote host match. If a mismatch
# occurs, access is denied, and any positive ident response within
# 20 seconds is logged. No protection is afforded against DNS poisoning,
# IP spoofing or more complicated attacks. Hosts with no reverse DNS
# pass this rule.
ALL : PARANOID : RFC931 20 : deny(You can read the
RFC931 if you so desire)
I quickly did a reverse and foward DNS lookup on the gateway IP/name I was coming from. Sure enough, there was a reverse entry, but not a forward entry. Since they didn't match, it was failing this line in /etc/hosts.allow.
I commented out the line, and everything started working properly. Another solution would be to fix the DNS issue with the gateway I am currently behind... but that won't always be an option. I feel that my SSH is fairly well protected, since I am running
DenyHosts.
I now get the following errors, which are still a little more paranoid than may be necessary:
Jan 10 11:17:55 lenny sshd[35544]: warning: /etc/hosts.allow, line 39: can't verify hostname: getaddrinfo(ppp-xxx-xxx-xxx-xxx.ded.pacbell.net, AF_INET) failedJan 10 11:17:55 lenny sshd[35545]: reverse mapping checking getaddrinfo for ppp-xxx-xxx-xxx-xxx.ded.pacbell.net failed - POSSIBLE BREAKIN ATTEMPT!
Jan 10 11:17:55 lenny sshd[35544]: reverse mapping checking getaddrinfo for ppp-xxx-xxx-xxx-xxx.ded.pacbell.net failed - POSSIBLE BREAKIN ATTEMPT!
Jan 10 11:17:57 lenny sshd[35544]: Accepted keyboard-interactive/pam for xxxxxxxxx from xxx.xxx.xxx.xxx port 38708 ssh2Overall its another great example of how
FreeBSD tries to be secure out of the box, and keep people from getting themselves hacked.