Two questions about hosts.allow and sshd
Hello! I've actually never subscribed, because anytime I had a question, I could just google and find it already asked by somebody else at some point, and read the answers there. Unfortunately, that's no longer the case. at least with this inquiry.. Alright, before I ask the question, here's the background information. About Me: - I'm using SuSE 9.3, and I've updated using all of the most recent security patches. - I'm a newbie to linux as an Admin, but I've been a light user for a couple of years - I understand programming better than I do networking (I know enough to pass Network +, but don't have much working knowledge .... yet) About My Machine: - There are two IP addresses (which are actually the same computer) that I currently interact with on a a regular basis. x.x.x.98 and x.x.x.64 (the x's are in the place of numbers to mask the actual computer). If you run a traceroute to either IP, it'll resolve to domain.ext, but if you do a reverse lookup of domain.ext, it'll always come up with only one of the IPs. As a result, the following appears in my /var/log/messages: Oct 4 02:51:25 localhost sshd: warning: /etc/hosts.allow, line 67: can't verify hostname: getaddrinfo(domain.ext) didn't return ::ffff:x.x.x.98 Oct 4 02:51:27 localhost sshd[13932]: Address x.x.x.98 maps to domain.ext, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT! - Now, obviously this means that if I set a line in hosts.allow for ALL : .domain.ext : PARANOID, it denies it because my system is paranoid and thinks this is a spoofed domain. I currently have both IP addresses in my allow list, so I can at least login from this server (it's a friend's server, and I have no power to modify his DNS settings). And On With The Question: WITHOUT telling sshd to stop warning me when it can't resolve an domain to who it claims to be (because I like that it does that!), how can I essentially tell it "If domain.ext resolves to this ip or this other ip, don't warn and just act like everything's normal" ? Both IP addresses are static. I am *NOT* the administrator of the machine, so I can't dig through his DNS settings to figure out why his domain is assigned to two IPs to begin with, and I can't get it to report the "official" IP when making connects to my box. I know the easy answer is to just "ignore those lines in the logs", but I get a LOT of traffic from that server, so it really does cause a clog issue when I do a cat /var/log/messages | grep Oct 04 , or something similar. And no, I don't use a log analyzing program yet -- I'm still trying to learn about security, and I believe that understanding the raw files on practical level FIRST is important before expecting any script or program to analyze them for me (plus I just prefer the command line most of the time anyway). Any and all responses greatly appreciated. :-) (And for bonus points, not nearly as important because it still functions from a security standpoint, but I'm a girl so I'm annoyed that it doesn't LOOK how I want it to! *laughs*) How come the following line in hosts.deny works and displays a message to the attempted incoming user: in.telnetd: ALL: twist /bin/echo -e "Shoo!" but this one doesn't sshd: ALL: twist /bin/echo "Shoo!"
Hello, Am Dienstag, 4. Oktober 2005 15:11 schrieb Selena Kyle:
How come the following line in hosts.deny works and displays a message to the attempted incoming user:
in.telnetd: ALL: twist /bin/echo -e "Shoo!"
Telnet is a clear-text protocol.
but this one doesn't
sshd: ALL: twist /bin/echo "Shoo!"
I guess it doesn't work because all SSH connections are encrypted. Regards, Christian Boltz -- Meine Rechner sind seit einem Jahr ein Naturschutzgebiet für Pinguine. ;)) [Michael Raab in suse-linux]
participants (2)
-
Christian Boltz
-
Selena Kyle