You could deny all by default and only allow your locations in tcp_wrappers.
Add this to /etc/hosts.deny:
sshd: ALL
And this to /etc/hosts.allow
sshd: 12.34.56.78 your.ip.here 123. 12.34.
I exaggerated the spaces. You'd still get the failures in your logs, but access to the service won't be granted as it wouldn't match the allow.
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Tilman Schmidt Sent: Thursday, March 07, 2013 11:45 AM To: CentOS mailing list Subject: Re: [CentOS] CentOS 5 sshd does not log IP address of reverse mapping failure
Am 06.03.2013 19:20, schrieb Gordon Messmer:
On 03/06/2013 09:45 AM, Tilman Schmidt wrote:
Any ideas how to remedy that situation?
As long as you get the IP address for failed logins, ignore reverse mapping failures.
Trouble is, I don't:
Feb 8 00:03:09 dns01 sshd[6119]: reverse mapping checking getaddrinfo for mbl-99-61-82.dsl.net.pk failed - POSSIBLE BREAK-IN ATTEMPT! Feb 8 00:03:10 dns01 sshd[6120]: Disconnecting: Too many authentication failures for root Feb 8 00:03:19 dns01 sshd[6121]: reverse mapping
checking
getaddrinfo for mbl-99-61-82.dsl.net.pk failed - POSSIBLE BREAK-IN ATTEMPT! Feb 8 00:03:20 dns01 sshd[6122]: Disconnecting: Too many authentication failures for root Feb 8 00:03:22 dns01 sshd[6123]: reverse mapping
checking
getaddrinfo for mbl-99-61-82.dsl.net.pk failed - POSSIBLE BREAK-IN ATTEMPT! Feb 8 00:03:23 dns01 sshd[6124]: Disconnecting: Too many authentication failures for root [...]
And at the end of the day, logwatch tells me:
--------------------- SSHD Begin ------------------------
Disconnecting after too many authentication failures for user: root : 149 Time(s)
Not good.
-- Tilman Schmidt Phoenix Software GmbH Bonn, Germany