Linux, FreeBSD, Juniper, Cisco / Network security articles and troubleshooting guides

FAQ
It is currently Tue Sep 17, 2019 6:43 am


Firewals, computer, server and network security, kernel and applications security of FreeBSD/Linux/AIX systems.

Author Message
debuser
  Post  Post subject: Ssh disable DNS reverse lookups  |  Posted: Thu Apr 01, 2010 11:03 am

Joined: Thu Aug 06, 2009 2:48 am
Posts: 105

Offline
 

Ssh disable DNS reverse lookups

How to disable ssh daemon reverse lookups for clients IP addresses.

What are IP reverse lookups


It is the DNS PTR (Pointer) query that maps an IP address to a fully qualified domain name or hostname. IP reverse lookups can be manually resolved with dig or nslookup commands:
Code:
# dig -x 8.8.8.8 +short
google-public-dns-a.google.com.


SSH reverse lookups


According to man sshd_config SSH daemon will do a reverse lookup of incoming connection source IP and then it will do another lookup of the returned FQDN.
Quote:
UseDNS Specifies whether sshd(8) should look up the remote host name and
check that the resolved host name for the remote IP address maps
back to the very same IP address. The default is ``yes''.


As in the example above, let's say google IP 8.8.8.8 connects to a ssh server with reverse dns lookups enabled, the SSH daemon will check PTR record of the 8.8.8.8 IP address and then will do an A lookup for the returned hostname. Let's see this in TCPDUMP:
Code:
12:08:52.791163 IP 192.168.1.100.11535 > 10.1.1.1.22: Flags [S], seq 1362762187, win 65535, options [mss 1360,nop,wscale 6,sackOK,TS val 1799736819 ecr 0], length 0
12:08:53.307320 IP 10.1.1.1.54181 > 172.17.82.2.53: 58113+ PTR? 100.1.168.192.in-addr.arpa. (40)
12:08:54.515019 IP 172.17.82.2.53 > 10.1.1.1.54181: 58113 1/2/0 PTR host100.domain.com. (106)
12:08:54.515701 IP 10.1.1.1.46059 > 172.17.82.2.53: 22066+ A? host100.domain.com. (34)
12:08:54.520213 IP 172.17.82.2.53 > 10.1.1.1.46059: 22066 1/2/2 A 192.168.1.100 (118)


If the DNS server fails to respond, sshd (or at least older versions) will hang for a long time and most clients will timeout.

Detecting your ssh version:
Code:
~  ssh -V
OpenSSH_4.7p1 FreeBSD-openssh-portable-4.7.p1_1,1, OpenSSL 0.9.8g 19 Oct 2007


SSH disable reverse lookups for IP and hostname


If your version is more recent (above4), you can disable ssh reverse lookups by uncommending or adding the following line to sshd_config file:
Code:
UseDns no


Otherwise, if the remote system is running ssh daemon version is 3 (not the protocol, but software version), uncoment the following line in the same sshd_config file:
Code:
VerifyReverseMapping No


SSH daemon needs to be restarted so the changes can take effect.





Centos command to disable SELINUX.


Top
debuser
Post  Post subject: Re: Ssh disable DNS reverse lookups  |  Posted: Fri Apr 02, 2010 4:28 am

Joined: Thu Aug 06, 2009 2:48 am
Posts: 105

Offline
If there are still problems (slow password prompt when ssh to the server), you can start sshd in debug mode:
Code:
# sshd -ddd

and attempt to ssh again.

Most probably, the delay will be in the same time with:
Code:
...
Trying to reverse map address xx.xx.xx.xx


This means that there could be problems with the dns servers. Commenting out everything in /etc/resolv.conf will solve the issue.


Top
prabu
Post  Post subject: Re: Ssh disable DNS reverse lookups  |  Posted: Mon Feb 07, 2011 8:42 am

Joined: Mon Feb 07, 2011 8:36 am
Posts: 2

Offline
For the DNS reverse lookup,
Just visit this site http://dnstools.ivorde.ro
It has the best information of IP address, IP address to domain, domain name to IP,domain name, hosting, and ping test to know the particular connection is online or not!!!!!


Top
Guest
Post  Post subject: Re: Ssh disable DNS reverse lookups  |  Posted: Tue Mar 03, 2015 7:28 pm
I love how the ads on this site go over the code so you cant read it


Top
admin
Post  Post subject: Re: Ssh disable DNS reverse lookups  |  Posted: Wed Mar 04, 2015 5:33 am
Site Admin

Joined: Mon Aug 03, 2009 8:43 am
Posts: 104

Offline
Guest wrote:
I love how the ads on this site go over the code so you cant read it

Fixed. Great feedback though.

_________________
VPSie - SSD VPS servers in AMS-IX, LINX, DE-CIX
https://vpsie.com


Top
Display posts from previous:  Sort by  
E-mail friendPrint view

Topics related to - "Ssh disable DNS reverse lookups"
 Topics   Author   Replies   Views   Last post 
There are no new unread posts for this topic. Centos command to disable SELINUX

mandrei99

0

1134

Tue Jan 28, 2014 11:54 am

mandrei99 View the latest post

 

Who is online
Users browsing this forum: No registered users and 0 guests
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum
Jump to:  
News News Site map Site map SitemapIndex SitemapIndex RSS Feed RSS Feed Channel list Channel list


Delete all board cookies | The team | All times are UTC - 5 hours [ DST ]



phpBB SEO