[CentOS] CentOS 5 sshd does not log IP address of reverse mapping failure [solved, I guess]

Sat Mar 9 17:57:13 UTC 2013
Tilman Schmidt <t.schmidt at phoenixsoftware.de>

Am 08.03.2013 20:51, schrieb Gordon Messmer:
> # tail -f /var/log/secure
> Mar  8 11:46:54 firewall sshd[27455]: pam_unix(sshd:auth): 
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser= 
> rhost=173-xx-xx-xx-washington.hfc.comcastbusiness.net  user=root
> Mar  8 11:46:56 firewall sshd[27455]: Failed password for root from 
> 173.xx.xx.xx port 51437 ssh2

I think I see what's happening now.

The machines in question all have password authentication disabled, so
they obviously never log "Failed password". If someone tries to log in
to an existing user account with password authentication, she gets the
message "no supported authentication methods available" or something
like that. In that case /var/log/secure does not log a failure message.
The only trace of that attempt is a "Received disconnect", like here
after the message I cited in my original posting:

Mar  3 04:44:48 gimli sshd[12870]: reverse mapping checking getaddrinfo
for hn.ly.kd.adsl failed - POSSIBLE BREAK-IN ATTEMPT!
Mar  3 04:44:49 gimli sshd[12871]: Received disconnect from
61.163.113.72: 11: Bye Bye

If I set "UseDNS no" the first message disappears and only the second
one remains.

So it seems there is no way to identify password bruteforcing attempts
on servers which don't accept password authentication in the first
place.

-- 
Tilman Schmidt
Phoenix Software GmbH
Bonn, Germany

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20130309/cbcc8204/attachment-0005.sig>