“POSSIBLE BREAK-IN ATTEMPT” error messages via SSH
- There is no reverse DNS setup for the hostname that is used.
- The “POSSIBLE BREAK-IN ATTEMPT” part specifically, is related to the “reverse mapping checking getaddrinfo failed” part. It means the person who was connecting didn’t have forward and reverse DNS configured correctly. This is quite common, especially for ISP connections, which is where the “attack” was probably coming from.
Step to reproduce the error :
[root@ ~]# ssh sXXX
reverse mapping checking getaddrinfo for sXXX.rX.local [10.XX.XX.1] failed – POSSIBLE BREAK-IN ATTEMPT!
- Linux and All Releases
- Comment out SSH rules from ossec config file vim /var/ossec/etc/ossec.conf
sshd_rules.xml. After this change please restart ossec service. Don’t forget white list IP from your firewall to get this effected.
- As an alternative of above option, one can put “UseDNS no” in /etc/ssh/sshd_config on server and restart sshd.