Dec 302009
 

What is “SSH: POSSIBLE BREAK-IN ATTEMPT!”? You may receive such a warning message when you SSH to a remote host. It is not as threatening as it sounds. When you SSH to a host, a series of checks are made to make sure you are connecting to the host you are expecting to connect to. SSH does a reverse mapping on the IP you are connecting to, to see if the hostname of that server is pointing to the same IP, if it isn’t, you will see the warning message “reverse mapping checking getaddrinfo for … POSSIBLE BREAK-IN ATTEMPT!”

For example, when you try to SSH to a host, you will enter something like:

ssh [email protected]

and see something like:

Connecting to 1.1.1.1
reverse mapping checking getaddrinfo for abc.example.com failed - POSSIBLE BREAK-IN ATTEMPT!
[email protected] password:

You can see above that we are connecting to the IP 1.1.1.1 whose hostname is abc.example.com, which isn’t pointing back to the IP resulting in a warning message. Same applies the other way round, if you try to SSH to the hostname i.e. “abc.example.com” who’s IP is 1.1.1.1, it check the reverse DNS of the IP and if it isn’t pointing back to “abc.example.com”, you will receive the warning message.

If you see the “POSSIBLE BREAK-IN ATTEMPT!” messages in your auth.log file it can mean someone may be trying to brute force in and you should take necessary steps to tighten the security of your server.

 Posted by at 10:57 pm