Mailinglist Archive: opensuse-security (232 mails)

< Previous Next >
Two questions about hosts.allow and sshd
  • From: Selena Kyle <lovemytreo@xxxxxxxxx>
  • Date: Tue, 4 Oct 2005 09:11:46 -0400
  • Message-id: <b78903b70510040611v6a9b6cd3q2b36546fbce0b3ea@xxxxxxxxxxxxxx>
Hello! I've actually never subscribed, because anytime I had a question, I
could just google and find it already asked by somebody else at some point,
and read the answers there. Unfortunately, that's no longer the case. at
least with this inquiry..

Alright, before I ask the question, here's the background information.

About Me:
- I'm using SuSE 9.3, and I've updated using all of the most recent security
- I'm a newbie to linux as an Admin, but I've been a light user for a couple
of years
- I understand programming better than I do networking (I know enough to
pass Network +, but don't have much working knowledge .... yet)

About My Machine:
- There are two IP addresses (which are actually the same computer) that I
currently interact with on a a regular basis. x.x.x.98 and x.x.x.64 (the x's
are in the place of numbers to mask the actual computer). If you run a
traceroute to either IP, it'll resolve to domain.ext, but if you do a
reverse lookup of domain.ext, it'll always come up with only one of the IPs.
As a result, the following appears in my /var/log/messages:

Oct 4 02:51:25 localhost sshd: warning: /etc/hosts.allow, line 67: can't
verify hostname: getaddrinfo(domain.ext) didn't return ::ffff:x.x.x.98
Oct 4 02:51:27 localhost sshd[13932]: Address x.x.x.98 maps to domain.ext,
but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!

- Now, obviously this means that if I set a line in hosts.allow for ALL :
.domain.ext : PARANOID, it denies it because my system is paranoid and
thinks this is a spoofed domain. I currently have both IP addresses in my
allow list, so I can at least login from this server (it's a friend's
server, and I have no power to modify his DNS settings).

And On With The Question:

WITHOUT telling sshd to stop warning me when it can't resolve an domain to
who it claims to be (because I like that it does that!), how can I
essentially tell it "If domain.ext resolves to this ip or this other ip,
don't warn and just act like everything's normal" ?

Both IP addresses are static. I am *NOT* the administrator of the machine,
so I can't dig through his DNS settings to figure out why his domain is
assigned to two IPs to begin with, and I can't get it to report the
"official" IP when making connects to my box. I know the easy answer is to
just "ignore those lines in the logs", but I get a LOT of traffic from that
server, so it really does cause a clog issue when I do a cat
/var/log/messages | grep Oct 04 , or something similar.

And no, I don't use a log analyzing program yet -- I'm still trying to learn
about security, and I believe that understanding the raw files on practical
level FIRST is important before expecting any script or program to analyze
them for me (plus I just prefer the command line most of the time anyway).

Any and all responses greatly appreciated. :-)

(And for bonus points, not nearly as important because it still functions
from a security standpoint, but I'm a girl so I'm annoyed that it doesn't
LOOK how I want it to! *laughs*)

How come the following line in hosts.deny works and displays a message to
the attempted incoming user:

in.telnetd: ALL: twist /bin/echo -e "Shoo!"

but this one doesn't

sshd: ALL: twist /bin/echo "Shoo!"
< Previous Next >
Follow Ups