LinkBack URL
About LinkBacksThe changelog says that EDGE was updated with "Set "UseDNS no" in sshd_config when cPHulkd is enabled", what is this change about? UseDNS checks the remote IP address resolves properly.
Set "UseDNS no" in sshd_config when cPHulkd is enabled
The changelog says that EDGE was updated with "Set "UseDNS no" in sshd_config when cPHulkd is enabled", what is this change about? UseDNS checks the remote IP address resolves properly.
If UseDNS is enabled, it sends the resolved domain name rather than the IP to PAM, which is what cPHulkd reads from when determining whether a login attempt is part of a brute force attempt or not. The problem with this is with whitelisting IPs; if PAM would pass the IP along with any resolved domain name, then we could resolve the domain to it's A records (if more than one) and verify at least one matches the IP it's connecting from. Alas, all we get is a domain that an attacker could set up to fake and get whitelisted. Consider the following scenario:
Attacker has control over rdns on 1.2.3.4 and NS for baddom.tld .
Admin has whitelisted 4.5.6.7 in WHM for cPHulkd.
Attacker sets up 1.2.3.4 to return a PTR with baddom.tld , then sets up an A record for baddom.tld to 4.5.6.7 .
Attacker brute forces root login on Admin's server and gets away with it, because when the Attacker connects from 1.2.3.4, the Admin's server resolves 1.2.3.4 to baddom.tld and sends baddom.tld to cPHulkd. cPHulkd then resolves baddom.tld to an IP to check against the whitelist and finds 4.5.6.7, which matches and is allowed to carry on.
We'll probably modify it somewhat in the near future to be configurable in case an Admin really want's it on, more than using whitelists with cPHulkd.
Reply With Quote