Re: [CentOS] CentOS 5 sshd does not log IP address of reverse mapping failure [solved, I guess]

2013-03-10 Thread Tilman Schmidt
Am 10.03.2013 03:01, schrieb Les Mikesell: > On Sat, Mar 9, 2013 at 11:57 AM, Tilman Schmidt > wrote: >> >> Mar 3 04:44:48 gimli sshd[12870]: reverse mapping checking getaddrinfo >> for hn.ly.kd.adsl failed - POSSIBLE BREAK-IN ATTEMPT! >> Mar 3 04:44:49 gimli sshd[12871]: Received disconnect fro

Re: [CentOS] CentOS 5 sshd does not log IP address of reverse mapping failure [solved, I guess]

2013-03-09 Thread Gordon Messmer
On 03/09/2013 09:57 AM, Tilman Schmidt wrote: > So it seems there is no way to identify password bruteforcing attempts > on servers which don't accept password authentication in the first > place. Yes... you can't detect what you don't receive. If you want to block hosts that are scanning for vu

Re: [CentOS] CentOS 5 sshd does not log IP address of reverse mapping failure [solved, I guess]

2013-03-09 Thread Les Mikesell
On Sat, Mar 9, 2013 at 11:57 AM, Tilman Schmidt wrote: > > Mar 3 04:44:48 gimli sshd[12870]: reverse mapping checking getaddrinfo > for hn.ly.kd.adsl failed - POSSIBLE BREAK-IN ATTEMPT! > Mar 3 04:44:49 gimli sshd[12871]: Received disconnect from > 61.163.113.72: 11: Bye Bye > > If I set "UseDNS

Re: [CentOS] CentOS 5 sshd does not log IP address of reverse mapping failure [solved, I guess]

2013-03-09 Thread Tilman Schmidt
Am 08.03.2013 20:51, schrieb Gordon Messmer: > # tail -f /var/log/secure > Mar 8 11:46:54 firewall sshd[27455]: pam_unix(sshd:auth): > authentication failure; logname= uid=0 euid=0 tty=ssh ruser= > rhost=173-xx-xx-xx-washington.hfc.comcastbusiness.net user=root > Mar 8 11:46:56 firewall sshd[2

Re: [CentOS] CentOS 5 sshd does not log IP address of reverse mapping failure

2013-03-08 Thread Gordon Messmer
On 03/07/2013 08:45 AM, Tilman Schmidt wrote: >> >As long as you get the IP address for failed logins, ignore reverse >> >mapping failures. > Trouble is, I don't: Are you watching the messages or secure log? # cat /etc/redhat-release CentOS release 5.8 (Final) # tail -f /var/log/secure Mar 8 11:

Re: [CentOS] CentOS 5 sshd does not log IP address of reverse mapping failure

2013-03-08 Thread Tilman Schmidt
Am 08.03.2013 17:40, schrieb Reindl Harald: > but you can not tell me that such attempts would not be logged > maybe you have fucked your syslog-configuration or whatever Tsk, tsk. Language! > Mar 8 17:35:13 openvas sshd[10017]: Invalid user donotexist from 10.0.0.241 > Mar 8 17:35:13 openvas s

Re: [CentOS] CentOS 5 sshd does not log IP address of reverse mapping failure

2013-03-08 Thread Tilman Schmidt
Am 08.03.2013 15:50, schrieb Reindl Harald: > Am 08.03.2013 15:01, schrieb Tilman Schmidt: >> Am 07.03.2013 19:49, schrieb Les Mikesell: [...] >>> Does it work if you set >>> UseDNS no >>> in /etc/ssh/sshd_config? >> >> Not really. That seems to remove the "reverse mapping checking failed" >> messa

Re: [CentOS] CentOS 5 sshd does not log IP address of reverse mapping failure

2013-03-08 Thread Les Mikesell
On Fri, Mar 8, 2013 at 7:43 AM, Tilman Schmidt wrote: > Am 07.03.2013 19:07, schrieb Michael Krug: >> You could deny all by default and only allow your locations in tcp_wrappers. > > Can't do that. People must be able to ssh in from dynamic IPs. Sure, but as you've noticed, logging the reverse-DN

Re: [CentOS] CentOS 5 sshd does not log IP address of reverse mapping failure

2013-03-08 Thread Tilman Schmidt
Am 07.03.2013 19:49, schrieb Les Mikesell: > On Thu, Mar 7, 2013 at 10:45 AM, Tilman Schmidt > wrote: Any ideas how to remedy that situation? >>> >>> As long as you get the IP address for failed logins, ignore reverse >>> mapping failures. >> >> Trouble is, I don't: > > Does it work if you s

Re: [CentOS] CentOS 5 sshd does not log IP address of reverse mapping failure

2013-03-08 Thread Tilman Schmidt
Am 07.03.2013 19:07, schrieb Michael Krug: > You could deny all by default and only allow your locations in tcp_wrappers. Can't do that. People must be able to ssh in from dynamic IPs. -- Tilman Schmidt Phoenix Software GmbH Bonn, Germany signature.asc Description: OpenPGP digital signature _

Re: [CentOS] CentOS 5 sshd does not log IP address of reverse mapping failure

2013-03-07 Thread Les Mikesell
On Thu, Mar 7, 2013 at 10:45 AM, Tilman Schmidt wrote: >>> Any ideas how to remedy that situation? >> >> As long as you get the IP address for failed logins, ignore reverse >> mapping failures. > > Trouble is, I don't: Does it work if you set UseDNS no in /etc/ssh/sshd_config? I don't think it i

Re: [CentOS] CentOS 5 sshd does not log IP address of reverse mapping failure

2013-03-07 Thread Michael Krug
bject: Re: [CentOS] CentOS 5 sshd does not log IP address of reverse > mapping failure > > Am 06.03.2013 19:20, schrieb Gordon Messmer: > > On 03/06/2013 09:45 AM, Tilman Schmidt wrote: > >> Any ideas how to remedy that situation? > > > > As long as you get

Re: [CentOS] CentOS 5 sshd does not log IP address of reverse mapping failure

2013-03-07 Thread Tilman Schmidt
Am 06.03.2013 19:20, schrieb Gordon Messmer: > On 03/06/2013 09:45 AM, Tilman Schmidt wrote: >> Any ideas how to remedy that situation? > > As long as you get the IP address for failed logins, ignore reverse > mapping failures. Trouble is, I don't: Feb 8 00:03:09 dns01 sshd[6119]: reverse mapp

Re: [CentOS] CentOS 5 sshd does not log IP address of reverse mapping failure

2013-03-06 Thread Gordon Messmer
On 03/06/2013 09:45 AM, Tilman Schmidt wrote: > Any ideas how to remedy that situation? As long as you get the IP address for failed logins, ignore reverse mapping failures. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listi

[CentOS] CentOS 5 sshd does not log IP address of reverse mapping failure

2013-03-06 Thread Tilman Schmidt
I'm running a mix of CentOS 5 and 6 servers reachable by ssh from the Internet. Of course I allow only public key authentication and no root login. In addition I'm running fail2ban to block obnoxious brute force attack sources. On CentOS 6 this is working pretty well, but on CentOS 5 there's one c