Can I adjust the ssh daemon to log IP addresses instead of hostnames?
I assume this situation is feasible...
* 10.10.10.10 attempts to ssh to the server * reverse dns resolves to "somehost.domain.com" * ssh daemon logs "somehost.domain.com" in messages * foward dns on "somehost.domain.com" resolves to 10.10.10.20
Thus it causes some of my scripts a problem if the DNS resolutions don't match. It would be nice if it could just log IP addresses only.
Thanks, Scott
On Mon, Jun 22, 2009 at 3:21 PM, Scott Mosemanscmoseman@gmail.com wrote:
Can I adjust the ssh daemon to log IP addresses instead of hostnames?
In sshd_config set UseDNS to no:
UseDNS no
Brett
Hi,
On Mon, Jun 22, 2009 at 15:21, Scott Mosemanscmoseman@gmail.com wrote:
Can I adjust the ssh daemon to log IP addresses instead of hostnames?
You can disable all DNS lookups by adding this line to /etc/ssh/sshd_config:
UseDNS no
This will probably accomplish what you want.
I assume this situation is feasible...
- 10.10.10.10 attempts to ssh to the server
- reverse dns resolves to "somehost.domain.com"
- ssh daemon logs "somehost.domain.com" in messages
- foward dns on "somehost.domain.com" resolves to 10.10.10.20
Thus it causes some of my scripts a problem if the DNS resolutions don't match. It would be nice if it could just log IP addresses only.
I believe the OpenSSH server will only log and use domain names if the forward DNS matches the reverse DNS, otherwise it will probably log the IP only (as if there was no reverse DNS for the IP) and maybe even log a warning that forward and reverse do not match. I haven't tested that recently, but that is how I would expect sshd to work...
HTH, Filipe
Indeed, that does log only the IP address. I could have sworn that I already played with that config option, but apparently I did not.
Thanks, Scott
On Mon, Jun 22, 2009 at 2:34 PM, Filipe Brandenburgerfilbranden@gmail.com wrote:
UseDNS no
While I did change the config entry and it is logging IP addresses, apparently that's not my problem. Even when using legit IP addresses my iptables rejects aren't working? I guess that means its not a forward/reverse DNS problem causing my issue. I have to use /etc/hosts.deny to stop some of the ssh attacks. Very weird.
Thanks, Scott
On Mon, Jun 22, 2009 at 2:42 PM, Scott Moseman scmoseman@gmail.com wrote:
Indeed, that does log only the IP address. I could have sworn that I already played with that config option, but apparently I did not.
Thanks, Scott
On Mon, Jun 22, 2009 at 2:34 PM, Filipe Brandenburgerfilbranden@gmail.com wrote:
UseDNS no
On Tue, Jun 23, 2009 at 19:02, Scott Mosemanscmoseman@gmail.com wrote:
While I did change the config entry and it is logging IP addresses, apparently that's not my problem. Even when using legit IP addresses my iptables rejects aren't working? I guess that means its not a forward/reverse DNS problem causing my issue. I have to use /etc/hosts.deny to stop some of the ssh attacks. Very weird.
If you want some help to diagnose your iptables config, please give some details on what the config is (output of "iptables -nvL" is a good start) and which specific case makes you think it is not working.
If you want good tips on how to secure SSH, please do also check this wiki page: http://wiki.centos.org/HowTos/Network/SecuringSSH
HTH, Filipe
-
Brett Serkez -
Filipe Brandenburger -
Scott Moseman