Remove reverse mapping attack signature

Create issue
Issue #15 resolved
Roman Inflianskas created an issue

I want to disable checking for this signature:

reverse mapping checking getaddrinfo for failed - POSSIBLE BREAK-IN ATTEMPT!

because I use my laptop in many locations where reverse DNS is configured badly.

As I understood the only thing I can do for now is to patch sources and compile it myself. It's not convenient.

Comments (6)

  1. Kevin Zheng

    Right now, disabling an attack signature means patching and recompiling SSHGuard. The root issue seems to be that a reverse mapping check isn't really indicative of an attack; it's actually very common for this to fail, especially if the client is behind a corporate/school/home network without FQDN for every IP. Should this signature be removed entirely?

  2. Hendrik Visage

    I would've liked to have this an optional choice, or even to be able to disable this for some subnets, as I've been bitten by this several times (in older version(s) in Debian/Ubuntu) that forced me to whitelist entire ADSL ranges, where I just wanted to disable this for a certain range.

  3. Kevin Zheng

    This signature has been removed in newer versions of SSHGuard. Unfortunately, you'll have to upgrade to take advantage of this change.

  4. Log in to comment