[App_rpt-users] Server Login Anomaly
Joel
x-rad at frontier.com
Thu Apr 2 19:54:04 UTC 2015
kk6ecm wrote:
> Thanks all,
>
> As Mike says, the DNS server changed... In fact, it went away for the
> repeater site, but not for the local site, where my DNS is my router. It
> looks like I should use "UseDNS no" in sshd_conf, as suggested by Joel. I'm
> not sure why a DNS would be required for SSH.
Bob,
It's done as a security check. Ideally your forward and reverse DNS records always match. In my network I handle ALL my DNS in both directions - so everything always matches unless I forget to update one of my zones. So knowing there is a discrepancy is a nice.
If someone was to hijack your forward records (happens a lot anymore with big ISP's), chances are they will direct you to a new network/IP for which the reverse will no longer match and it will alert you and let you know that you might be under a re-direct attack and do you want to continue. With this turned off - you will lack that check. Also, sshd is trying to commit to the syslog the connection attempt before it even proceeds with authentication. This is another GOOD Unix thing.. If your using off-site syslog - the attempt is logged away before they can even try to get into the machine where they could erase logs to cover their tracks.
I always advise people to use key exchange for auth on SSH connections if possible. Then turn off password auth in the ssh server. Adds a nice extra layer of security.
73's
Joel/N7GLV
More information about the App_rpt-users
mailing list