Activities

September 2014
M T W T F S S
« Aug   Oct »
1234567
891011121314
15161718192021
22232425262728
2930  

warning: /etc/hosts.allow, line 109: can’t verify hostname: getaddrinfo

Few of my servers are protected using TCP Wrappers to control the access for security reasons. I have limited the ssh access using this mechanism to certain known IP’s or network ranges. But recently one the user who using 3G connection from a mobile network unable to access my servers as they are using IPv6 network. I’m getting following errors on ssh log file,

Sep 19 02:09:57 qa01 sshd[6682]: refused connect from ::ffff:1.39.61.212 (::ffff:1.39.61.212)
Sep 19 02:12:23 qa01 sshd[6691]: warning: /etc/hosts.allow, line 110: can't verify hostname: getaddrinfo(1-39-61-212.live.vodafone.in, AF_INET) failed

For a closer look in to issue, I’m ensuring that SSH protocol is already supported IPv6 connectivity and disable the RDNS lookup to ensure that if is not involving to happen this error on TCP Wrapper logs.

1. How do I enable IPv6 support in SSH protocol

Ensure that ListenAddress is using ipv4 and ipv6 protocol. Ipv6 is disabled by default on certain earlier Linux OS. Ensure that they are commented out.

[root@qa01 ~]# cat /etc/ssh/sshd_config | grep -E "ListenAddress"
ListenAddress 0.0.0.0
ListenAddress ::
[root@qa01 ~]#

2. Disable Reverse DNS lookup on SSH access.

Set the parameter value of UseDNS to no. It is enabled by default.

[root@qa01 ~]# cat /etc/ssh/sshd_config | grep -E "UseDNS"
UseDNS no
[root@qa01 ~]#

Next you need to restart the ssh service and check it is listing to all the NIC adapters.

[root@qa01 ~]## service sshd restart
Stopping sshd:                                             [  OK  ]
Starting sshd:                                             [  OK  ]
[root@qa01 ~]#
[root@qa01 ~]# netstat -nlp | grep ":22"
tcp        0      0 :::22                       :::*                        LISTEN      2328/sshd
[root@qa01 ~]#

Perfect !! One part is over.

Now I’m concentrating on the advanced settings on TCP Wrappers mechanism since I’m seeing the /etc/hosts.allow mentioned in the error logs( /var/log/secure). Why is is showing such errors.

Problem
The TCP wrappers check the Reverse DNS of the IP which users are connecting and try to resolve the DNS record associate with it. If the TCP Wrappers can’t find the DNS record, it will reject the access/service requested by the user IP by showing such errors.

Solution

We need to use TCPWrapper’s wildcard parameter rule added in our service list which will ignore Reverse DNS matching against client IP address. So that they can connect it.

So I added this line on /etc/host.allow file.

sshd: PARANOID : allow

Wildcards [ Taken from Redhat site]
Wildcards allow TCP wrappers to more easily match groups of daemons or hosts. They are used most frequently in the client list field of access rules.

The following wildcards may be used:

ALL — Matches everything. It can be used for both the daemon list and the client list.

LOCAL — Matches any host that does not contain a period (.), such as localhost.

KNOWN — Matches any host where the hostname and host address are known or where the user is known.

UNKNOWN — Matches any host where the hostname or host address are unknown or where the user is unknown.

PARANOID — Matches any host where the hostname does not match the host address.

The KNOWN, UNKNOWN, and PARANOID wildcards should be used with care as a disruption in name resolution may prevent legitimate users from gaining access to a service.

Once I have added I get the following messages in log file (/var/log/secure)

Sep 19 03:44:29 -qa01 sshd[12806]: warning: /etc/hosts.allow, line 109: can't verify hostname: getaddrinfo(1-39-60-100.live.vodafone.in, AF_INET) failed
Sep 19 03:44:33 -qa01 sshd[12806]: reverse mapping checking getaddrinfo for 1-39-60-100.live.vodafone.in failed - POSSIBLE BREAK-IN ATTEMPT!
Sep 19 03:44:34 -qa01 sshd[12806]: Accepted password for root from 1.39.60.100 port 12232 ssh2
Sep 19 03:44:34 -qa01 sshd[12806]: pam_unix(sshd:session): session opened for user root by (uid=0)
Sep 19 03:44:35 qa01 sshd[12806]: subsystem request for sftp

Note : I’m note sure whether this provide 100% security since any inproper IPV4 users those are using not matching/spoofing RDNS can able to connect this server since the server config. accept the non-matching DNS.

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>