contact image

IP blocking by OSSEC SSH Rules.

“POSSIBLE BREAK-IN ATTEMPT” error messages via SSH

Root Cause

  • There is no reverse DNS setup for the hostname that is used.
  • The “POSSIBLE BREAK-IN ATTEMPT” part specifically, is related to the “reverse mapping checking getaddrinfo failed” part. It means the person who was connecting didn’t have forward and reverse DNS configured correctly. This is quite common, especially for ISP connections, which is where the “attack” was probably coming from.

Issue

Step to reproduce the error :

[root@ ~]# ssh sXXX

reverse mapping checking getaddrinfo for sXXX.rX.local [10.XX.XX.1] failed – POSSIBLE BREAK-IN ATTEMPT!

root@sXs password:

Environment

  • Linux and All Releases


 

Resolution

  • Comment out SSH rules from ossec config file vim /var/ossec/etc/ossec.confsshd_rules.xml. After this change please restart ossec service. Don’t forget white list IP from your firewall to get this effected.
  • As an alternative of above option, one can put “UseDNS no” in /etc/ssh/sshd_config on server and restart sshd.

Contact Info

flag image 637 S. 48th Street., Suite #24, Tempe, AZ 85281

info@orionesolutions.com

US: 480-465-6626

For support or assistance with
any Orion website. visit our
support site at
info@orionesolutions.com
and submit a ticket.

Copyright © 2015. Orion eSolutions. All Rights Reserved. Privacy Policy | Terms of use | Sitemap