# reverse mapping checking getaddrinfo - please explain

## e3k

at 17:13:12 my sister logged in as scponly user from a winxp machine with winscp and private key

at 17:14:35 i dont understand why i have got a second connection from some other ip 1min later.

can some body interprete these logs for me?

Aug 17 17:13:12 localhost sshd[10584]: Connection from 95.105.133.127 port 64155

Aug 17 17:13:38 localhost sshd[10584]: Found matching DSA key: 1e:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Aug 17 17:13:56 localhost sshd[10584]: Found matching DSA key: 1e:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Aug 17 17:13:56 localhost sshd[10584]: Accepted publickey for scponly from 95.105.133.127 port 64155 ssh2

Aug 17 17:13:56 localhost sshd[10584]: User child is on pid 10586

Aug 17 17:14:32 localhost kernel: iptables denied: IN=eth0 OUT= MAC=00:12:d3:05:03:76:00:17:10:00:af:b5:08:00 SRC=212.143.230.170 DST=188.167.65.37 LEN=438 TOS=0x00 PREC=0x00 TTL=50 ID=0 DF PROTO=UDP SPT=5061 D

PT=5060 LEN=418 

Aug 17 17:14:35 localhost sshd[10589]: Connection from 122.11.56.250 port 35340

Aug 17 17:14:41 localhost sshd[10589]: reverse mapping checking getaddrinfo for ptr250.56.dnion.com [122.11.56.250] failed POSSIBLE BREAK-IN ATTEMPT!

Aug 17 17:14:43 localhost sshd[10601]: Connection from 122.11.56.250 port 35773

Aug 17 17:14:49 localhost sshd[10601]: reverse mapping checking getaddrinfo for ptr250.56.dnion.com [122.11.56.250] failed - POSSIBLE BREAK-IN ATTEMPT!

Aug 17 17:14:51 localhost sshd[10613]: Connection from 122.11.56.250 port 36199

Aug 17 17:15:00 localhost sshd[10613]: reverse mapping checking getaddrinfo for ptr250.56.dnion.com [122.11.56.250] failed - POSSIBLE BREAK-IN ATTEMPT!

----------

## francofallica

I get this all the time. Nothing unusual here. That it happens a minute after your sister logged in might be a simple coincident. 

I guess its just somebody trying to break into your machine - with a brute force like attack on ssh. I suggest you install sshguard or something similar. You should also consider blocking bad ip addresses. you can get and update lists from http://www.unixhub.com/block.html or various other sites.

Regarding the 

 *Quote:*   

> 
> 
> reverse mapping checking getaddrinfo for ptr250.56.dnion.com [122.11.56.250] failed P

 

message. I think this means that there is no valid reverse mapping from the ip to the domain name. Which would suggest that the attacker uses a non static ip address from his ISP because with static ip addresses you would usually implement the reverse mapping. 

hope that helped to clear things up

franco

----------

## e3k

if its just a coincidence than ok. 

i am a bit suspicious about my sisters pc.

np if somebody gets in as its a chrooted scponly acount just for file exchange.

----------

## francofallica

well, I can't tell about your sisters pc of course. but since its coming from a different ip it is probably unrelated (but not necessarily). And you use ssh with RSA Public/private keys so this is kind of state of the art and can be regarded as quite secure. so don't worry.

----------

## Hu

You mention that she used an ssh key, so you may already know about the value of keyed authentication instead of passwords.  If not, I suggest you read up on the security advantages of configuring an sshd to allow only key based authentication, so that attackers can never use password authentication.

Dynamic IP addresses can have reverse mappings.  Static IP addresses may not have reverse mappings.  In an ideal environment, every machine should have a reverse mapping and doing a two stage lookup should validate in both directions, but there are many network administrators who either lack the time or the courtesy to establish such mappings.

----------

## e3k

ad only key based authentication: yes this is what i use.

----------

