-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi,
Thank you for your quick reply. (2010/07/08 22:51), Yaroslav Halchenko wrote: > well -- if it indeed comes from 192.168.0.32, then you better alarm your > local network administrator since it is a private net address. Not sure > why/how your DNS resolves it to reserved example.com either. Well, I used example.com and 192.168.0.32 just to show that the entry is an example. My local DNS is not affected :) > Altogether, not sure if adding a rule catching 'reverse mapping > checking' failures, since, as I pointed out above, then any > misconfiguration (attack on) of DNS server might lead to the wave of > fail2ban actions against possibly valid users (this line btw does not > give any information that user has tried to authenticate with incorrect > credentials). So for now tagging it as wontfix. > > If you feel strong that such feature would be valid, keep the dialog. I understand that DNS problem (or attack) might lead to Denial of Service (DOS) for valid users on ssh. However, as long as DNS is working properly, I found (from my server's /var/log/auth.log) that this "POSSIBLE BREAK-IN ATTEMPT" comes only from mass port scanning of weak ssh server from attackers. If I want to block, is adding the following line to /etc/fail2ban/filter.d/sshd.conf correct? ^%(__prefix_line)sreverse mapping checking getaddrinfo for .* \[<HOST>\] failed - POSSIBLE BREAK-IN ATTEMPT!\s*$ Best regards, - -- Ryo IGARASHI, Ph.D. rigar...@gmail.com OpenPGP fingerprint: BAD9 71E3 28F3 8952 5640 6A53 EC79 A280 6A19 2319 -----BEGIN PGP SIGNATURE----- Comment: GnuPT-Portable 1.6.0.0 Comment: Download at: http://portable.gnupt.de iQIcBAEBCgAGBQJMNnopAAoJEOx5ooBqGSMZXjkQAM3GZ3rApAmXV9Ezxj1P2Ijw 12QABXAAWi8AdJY/enm4zSW3RfDCemn9bgYP0IQLcBktpTbmzBa5jjkEUhldAVPo /77Ol9ap3IuyZfNKYo1BmvN6FEARmfirDyZno5B+BdmmrzKGd6kVjH+VuiBsGidz EIfzBANUgDToNQm49GkAQnG2ufGQw6gY9SpOf4wnQ3JASuizF84UKqCiKYeJoSKG /R2PKTbFJcjlfDyLlzRnsysFxGqMHo989Y23ts6CM0HO4z5e0YlTro9GVfqdB+Zk oXVSpsVbvtJvCX0a/X/PjyuOXgPKhdFyBlfvaATumnUvO2ADlkkT6xFr+1F21VuC rO6GHKsCSnRUBj4KxCPZJtXPgS1YmHNET4jf1G4Ry6GuqAD18RevoDDfRpsZjSy1 rTnjrRWg4VACoYeVOr228oqZyK85731I2Ote8Eo/GqGEL9e6e9MNPHdXDCwH8iaQ fAi9V8+N9RHzhxrqpBYV2Yq6ui6SWp5jigXo2prvVmkx4b71T5brtV3qDEcCHMiu ubkcl3qvE6jaEfqKvd2JAtnqvwL7Xzy5YgzUVCp6Qr/KW+GJDVhPKSoZOet60k5A uiStsl9gxs/49qzymT3raEDSr+wClvxsdBLLhf3qes6s/zXYJoUzRbeO+KPnItPL OtHEc+CMFITlqKTi3Mwx =rtJm -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
