"What exactly does "POSSIBLE BREAK-IN ATTEMPT" mean?"
This means that the netblock owner did not update the PTR record for a static IP within their range, and said PTR record is outdated, OR an ISP does not setup proper reverse records for its dynamic IP customers. This is very common, even for large ISPs.
You end up getting the msg in your log because someone coming from an IP with improper PTR records (due to one of the reasons above) is trying to use common usernames to try SSH into your server (possibly bruteforce attack, or maybe an honest mistake).
To disable these alerts, you have two choices:
1) If you have a static IP, add your reverse mapping to your /etc/hosts file (see more info here):
10.10.10.10 server.remotehost.com
2) If you have a dynamic IP and really want to make those alerts go away, comment out the "GSSAPIAuthentication yes" in your /etc/ssh/sshd_config file.
This means that the netblock owner did not update the PTR record for a static IP within their range, and said PTR record is outdated, OR an ISP does not setup proper reverse records for its dynamic IP customers. This is very common, even for large ISPs.
You end up getting the msg in your log because someone coming from an IP with improper PTR records (due to one of the reasons above) is trying to use common usernames to try SSH into your server (possibly bruteforce attack, or maybe an honest mistake).
To disable these alerts, you have two choices:
1) If you have a static IP, add your reverse mapping to your /etc/hosts file (see more info here):
10.10.10.10 server.remotehost.com
2) If you have a dynamic IP and really want to make those alerts go away, comment out the "GSSAPIAuthentication yes" in your /etc/ssh/sshd_config file.
No comments:
Post a Comment