107

I've got a CentOS 5.x box running on a VPS platform. My VPS host misinterpreted a support inquiry I had about connectivity and effectively flushed some iptables rules. This resulted in ssh listening on the standard port and acknowledging port connectivity tests. Annoying.

The good news is that I require SSH Authorized keys. As far as I can tell, I don't think there was any successful breach. I'm still very concerned about what I'm seeing in /var/log/secure though: 

Apr 10 06:39:27 echo sshd[22297]: reverse mapping checking getaddrinfo for 222-237-78-139.tongkni.co.kr failed - POSSIBLE BREAK-IN ATTEMPT!
Apr 10 13:39:27 echo sshd[22298]: Received disconnect from 222.237.78.139: 11: Bye Bye
Apr 10 06:39:31 echo sshd[22324]: Invalid user edu1 from 222.237.78.139
Apr 10 06:39:31 echo sshd[22324]: reverse mapping checking getaddrinfo for 222-237-78-139.tongkni.co.kr failed - POSSIBLE BREAK-IN ATTEMPT!
Apr 10 13:39:31 echo sshd[22330]: input_userauth_request: invalid user edu1
Apr 10 13:39:31 echo sshd[22330]: Received disconnect from 222.237.78.139: 11: Bye Bye
Apr 10 06:39:35 echo sshd[22336]: Invalid user test1 from 222.237.78.139
Apr 10 06:39:35 echo sshd[22336]: reverse mapping checking getaddrinfo for 222-237-78-139.tongkni.co.kr failed - POSSIBLE BREAK-IN ATTEMPT!
Apr 10 13:39:35 echo sshd[22338]: input_userauth_request: invalid user test1
Apr 10 13:39:35 echo sshd[22338]: Received disconnect from 222.237.78.139: 11: Bye Bye
Apr 10 06:39:39 echo sshd[22377]: Invalid user test from 222.237.78.139
Apr 10 06:39:39 echo sshd[22377]: reverse mapping checking getaddrinfo for 222-237-78-139.tongkni.co.kr failed - POSSIBLE BREAK-IN ATTEMPT!
Apr 10 13:39:39 echo sshd[22378]: input_userauth_request: invalid user test
Apr 10 13:39:39 echo sshd[22378]: Received disconnect from 222.237.78.139: 11: Bye Bye

What exactly does "POSSIBLE BREAK-IN ATTEMPT" mean? That it was successful? Or that it didn't like the IP the request was coming from?

Mike B
  • 12,016

6 Answers6

89

Unfortunately this in now a very common occurrence. It is an automated attack on SSH which is using 'common' usernames to try and break into your system. The message means exactly what it says, it does not mean that you have been hacked, just that someone tried.

Shaheen Ghiassy
  • 101
user9517
  • 116,228
  • Thanks Lain. That makes me feel better. I'm really glad I require authorized keys for ssh. =) – Mike B Apr 17 '11 at 18:31
  • 29
    "reverse mapping checking getaddrinfo for" is more about source IP/hostname crafted. The same crafted traffic is trying bad user names, but bad user names doesn't generate the "POSSIBLE BREAK-IN ATTEMPT" message. – poisonbit Apr 17 '11 at 18:34
  • 11
    @MikeyB: You may want to look at adding fail2ban to you system. THis can be configured to block the IP addresses of these attackers automatically. – user9517 Apr 17 '11 at 18:35
  • @poisonbit: Your right it means that there is a reverse lookup that then doesn't in turn resolve to an A record but in the round it's all part of the same automated attack. – user9517 Apr 17 '11 at 18:38
  • @lain Thanks. Good idea. I've been using fail2ban for apache but didn't think it was necessary for SSH since I was only allowing access from a couple source IPs. This is a wake up call. It's best not to be too reliant on specific security measures. – Mike B Apr 17 '11 at 18:38
  • 9
    Note that 'reverse mapping failed' can simply mean that the user's ISP hasn't configured reverse DNS correctly, which is quite common. See @Gaia 's answer. – Wilfred Hughes Oct 09 '13 at 13:52
  • @WilfredHughes: Whilst that may be true, looking at the log snippet provided, it is clearly an automated attack of the type everyone who looks would see every day. – user9517 Oct 09 '13 at 13:57
  • Another solution is to move the ssh server to a port other than 22. That should remove most of the messages (and break the standard "22/ssh", whether it is important or not depends on your system) – WoJ Jun 13 '14 at 12:23
  • @WoJ, that's not really a solution but it can reduce the problem. – user9517 Jun 13 '14 at 12:28
  • @Iain: true, but having experienced that on many servers when such attacks became fashionable years ago I saw a drastic reduction (almost to zero) of this noise in the logs. – WoJ Jun 13 '14 at 12:31
  • 3
    This is inaccurate, it just means the the reverse DNS does not match the hostname the client sent to identify themselves. It is likely flagged since that might have been a break in attempt for people using .rhosts or .shosts authentication (I've never seen that used). Scans happens, but that is not what this message is about (although any connection can trigger it) (For scans, the failed auth / unknown user messages are better to look for) – Gert van den Berg Nov 16 '18 at 07:38
  • "The message means exactly what it says" is very informative. – x-yuri Sep 20 '19 at 11:28
54

The "POSSIBLE BREAK-IN ATTEMPT" part specifically, is related to the "reverse mapping checking getaddrinfo failed" part. It means the person who was connecting didn't have forward and reverse DNS configured correctly. This is quite common, especially for ISP connections, which is where the "attack" was probably coming from.

Unrelated the the "POSSIBLE BREAK-IN ATTEMPT" message, the person is actually trying to break in using common user names and passwords. Do not use simple passwords for SSH; in fact the best idea to to disable passwords altogether and use SSH keys only.

Chris S
  • 78,185
  • 1
    If it's generated by a (valid) connection via an ISP, you can add an entry to your /etc/hosts file to get rid of this reverse mapping error. Obviously you'd only do this if you knew that the error is benign and want to clean up your logs. – artfulrobot Aug 10 '12 at 09:22
34

"What exactly does "POSSIBLE BREAK-IN ATTEMPT" mean?"

This means that the netblock owner did not update the PTR record for a static IP within their range, and said PTR record is outdated, OR an ISP does not setup proper reverse records for its dynamic IP customers. This is very common, even for large ISPs.

You end up getting the msg in your log because someone coming from an IP with improper PTR records (due to one of the reasons above) is trying to use common usernames to try SSH into your server (possibly bruteforce attack, or maybe an honest mistake).

To disable these alerts, you have two choices:

1) If you have a static IP, add your reverse mapping to your /etc/hosts file (see more info here):

10.10.10.10 server.remotehost.com

2) If you have a dynamic IP and really want to make those alerts go away, comment out the "GSSAPIAuthentication yes" in your /etc/ssh/sshd_config file.

Gaia
  • 1,895
17

You can make your logs easier to read and check by turning off reverse lookp-ups in sshd_config (UseDNS no). This will prevent sshd from logging the "noise" lines containing "POSSIBLE BREAK-IN ATTEMPT" leaving you to concentrate on the slightly more interesting lines containing "Invalid user USER from IPADDRESS".

Community
  • 1
TimT
  • 346
  • 4
    What is the downside to disabling sshd reverse lookups on a server connected to the public Internet? Is there any upside at all to leaving this option enabled? – Eddie Nov 06 '13 at 15:48
  • 2
    @Eddie I don't think the DNS lookups performed by sshd serves any useful purpose. There are two good reasons to disable the DNS lookups. The DNS lookups can slow down login if the lookups time out. And the "POSSIBLE BREAK-IN ATTEMPT" messages in the log are misleading. All that message really means is that the client has misconfigured DNS. – kasperd Jul 01 '15 at 10:12
  • @kasperd UseDNS is needed, if one needs / wants to use hostnames in the from= directive in authorized_keys files. – gxx May 15 '16 at 19:08
  • "UseDNS no" does not make the messages disappear, it only allows connection disregarding the warning. They are still there. – FarO Nov 25 '16 at 22:17
  • 1
    I disagree @OlafM - "UseDNS no" tells sshd to not perform the reverse mapping check and therefore it will not add any lines containing "POSSIBLE BREAK-IN ATTEMPT" to the system logs. As a side-effect it may also speed up connection attempts from hosts than don't have reverse DNS configured correctly. – TimT May 04 '17 at 12:55
  • @TimT have you tried? I did: https://superuser.com/questions/1149850/how-to-disable-the-message-reverse-mapping-checking-getaddrinfo-for-xxx-failed – FarO May 05 '17 at 08:53
  • 1
    Yes @OlafM I did, about 4-5 years ago on Linux. It considerably shortened my logs and stopped logcheck bugging me with worthless email reports. – TimT May 26 '17 at 08:07
  • @TimT maybe my issue (see link) depended on a different branch, including patches for SunSSH compatibility. – FarO May 26 '17 at 09:33
  • 1
    The main use of UseDNS is for the (bad idea to use) .rhosts and .shosts authentication (HostbasedAuthentication). (And the From match option in the SSHD config and authorized_keys) (There is a seperate setting HostbasedUsesNameFromPacketOnly though which might be needed to switch of reverse lookups for Hosts based auth as well, worse idea than using Hostsbasedauthentication...) – Gert van den Berg Nov 16 '18 at 07:44
5

It's not necessary a successful login, but what it says "posible" and "attempt".

Some bad boy or script kiddie, is sending you crafted traffic with a false origin IP.

You can add origin IP limitations to your SSH keys, and try something like fail2ban.

poisonbit
  • 827
  • 5
  • 6
  • 2
    Thanks. I have iptables set to only allow ssh connectivity from select sources. I also have fail2ban installed and running. – Mike B Apr 17 '11 at 18:31
0

In my case after three week of suffering with logout of systems and hang in ssh connections every one minutes, I found my network changed to IPv6 when try to get my IP, so I tried to disable IPv6 and restart network, but that didn't not solve my problem.

Note: in every hang of ssh, I found this log line:

reverse mapping checking getaddrinfo for x.x.x.x.xx.com.xx [xx.xx.xx.xx] failed - POSSIBLE BREAK-IN ATTEMPT!

So I think part of this error is from your connection provider, when your IP changed continuously, ssh will keep freezing and this error will occurs. I changed my internet provider and problem was solved.

Valerio Bozz
  • 364
AnasSafi
  • 156