0

I've whitelisted my own domains in /etc/hosts.allow

ALL: localhost, .domain.tld

plus all of my IP adresses.

I also have about 4k lines in /etc/hosts.deny.

Everything works but I do not understand the warning I get from time to time, because not all connections return a mismatch:

Feb  4 09:01:13 my sshd[24068]: warning: /etc/hosts.allow, line 14: host name/name mismatch: UNKNOWN-110-75-188-34.aliyun.com != my.domain.tld

Update:

My IP mapps to domain.tld, and domain.tld maps to my IP.

*.aliyun.com is some BruteForcing machine, attacking my server.

Cristian Ciupitu
  • 6,396
  • 2
  • 42
  • 56
Daniel W.
  • 1,609
  • 4
  • 26
  • 48

1 Answers1

3

sshd is just giving you a warning that the denied connection is not listed in either hosts.allow or hosts.deny, this is part of the verbose logging behavior, allowing you to troubleshoot connections which might need to be matched, and aren't matching (usually due to to incorrectly configured DNS entries, especially RDNS entries).

Keeping an eye on warnings is never a bad idea though, although this is fairly innocuous.

Cristian Ciupitu
  • 6,396
  • 2
  • 42
  • 56
NickW
  • 10,263
  • 1
  • 20
  • 27
  • my rdns/dns mapping is setup correctly, *.aliyun.com does not belong to me, its an attacker – Daniel W. Feb 04 '13 at 11:36
  • Looking into it further, it's basically saying that the connection does not respond to a line in either the hosts.allow, or in hosts.deny. You're doing verbose logging, which is useful to identify problems like the one I mentioned before. – NickW Feb 04 '13 at 11:37
  • Furthermore, it's logging to allow you to see why a certain user is being denied (or not allowed) access. Obviously the connections that aren't being logged are already matching a line in one of the two files. – NickW Feb 04 '13 at 11:39
  • My DSL dynamic IP/Hostname is not in hosts.allow too and it does not log any warning. I don't understand why sshd wants the attackers hostname to match my local hostname, this can't be – Daniel W. Feb 04 '13 at 12:05
  • There is the misunderstanding, it doesn't "want" anything, it is just trying to let you know that this connection came through, and was denied, but since the IP wasn't listed in either file, it might be something you want to change (you might be troubleshooting someone unable to connect). It's just a side effect of verbose logging. – NickW Feb 04 '13 at 12:09
  • That might be it. Well many people ignore warnings in common but I really want to investigate them and understand. If you edit your answer I'm gonna accept it, tyvm. – Daniel W. Feb 04 '13 at 13:09
  • Certainly, it's good seeing people making sure they understand what the programs are logging. – NickW Feb 04 '13 at 13:23