sshd warning, "POSSIBLE BREAK-IN ATTEMPT!" for failed reverse DNS

What security threat is there?
How could anyone fake a one-way DNS in some threatening way?

Any party with control of a DNS reverse zone can set their PTR records to whatever they want. It's conceivable that someone could set their PTR record to legithost.example.com, and then try to brute force their way into your environment.

If you have fat-fingered users who tend to mistype their passwords, and are lacking in anti-brute-force measures, a bunch of log entries for failed passwords from legithost.example.com could be dismissed as "Oh that's just Bob - he can't type to save his life!" and give an attacker the opportunity to keep guessing passwords until they get in.

(The theoretical security benefit from this message is that the attacker can't create/change the A record for legithost.example.com in your DNS zone, so he can't silence the warning - absent a DNS poisoning attack of some kind...)

Do I have any recourse for fixing this?

Option 1: Fix your DNS so the forward (A) and reverse (PTR) records match.
Option 2: Add UseDNS no to your system's sshd_config file to shut the warning up.

sshd warning, "POSSIBLE BREAK-IN ATTEMPT!" for failed reverse DNS

Tags:

Reverse Dns

Ssh

Related

Recent Posts