Remove reverse mapping attack signature

Issue #15 resolved

Roman Inflianskas created an issue 2015-09-30

I want to disable checking for this signature:

reverse mapping checking getaddrinfo for failed - POSSIBLE BREAK-IN ATTEMPT!

because I use my laptop in many locations where reverse DNS is configured badly.

As I understood the only thing I can do for now is to patch sources and compile it myself. It's not convenient.

Comments (6)

Kevin Zheng
Right now, disabling an attack signature means patching and recompiling SSHGuard. The root issue seems to be that a reverse mapping check isn't really indicative of an attack; it's actually very common for this to fail, especially if the client is behind a corporate/school/home network without FQDN for every IP. Should this signature be removed entirely?
- 2015-09-30T15:38:11+00:00
Roman Inflianskas reporter
@Partmedia I think so.
- 2015-09-30T19:33:01+00:00
Kevin Zheng
- changed title to Remove reverse mapping attack signature
- assigned issue to
  
  Kevin Zheng
- marked as task
- 2015-10-12T18:50:53+00:00
Kevin Zheng
- changed status to resolved
Fixed in 7f7dccf, thanks!
- 2015-12-11T18:31:44+00:00
Hendrik Visage
I would've liked to have this an optional choice, or even to be able to disable this for some subnets, as I've been bitten by this several times (in older version(s) in Debian/Ubuntu) that forced me to whitelist entire ADSL ranges, where I just wanted to disable this for a certain range.
- 2016-12-20T12:37:33+00:00
Kevin Zheng
This signature has been removed in newer versions of SSHGuard. Unfortunately, you'll have to upgrade to take advantage of this change.
- 2016-12-21T02:50:37+00:00
Log in to comment