Useless log message "POSSIBLE BREAK-IN ATTEMPT"

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



 

On 26.12.2013 09:27, Alex Bligh wrote: 

> On 25 Dec 2013, at 08:04, Ben Lindstrom wrote:
> 
>> UseDNS Specifies whether sshd(8) should look up the remote host name and check that the resolved host name for the remote IP address maps back to the very same IP address. The default is ``yes''.
> 
> I've often wondered why the default for this is 'yes'.

I don't want to read reference manuals. I want software not to do stupid
things by default. This misfeature and its configuration option
shouldn't even exist. 

There isn't any action that the software can take based on this info.
(We should never waste resources gathering info that cannot be used to
take action.) 

You cannot reject hosts from making SSH connections just because they
have inconsistent DNS. 

Such checks are sometimes useful in software that has no real security,
like SMTP. Rejecting inconsistent DNS hosts is an amazingly reliable
rule that will get rid of a large fraction of spam, with virtually no
false positives. 

 


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux