The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Set "UseDNS no" in sshd_config when cPHulkd is enabled

Discussion in 'Bind / DNS / Nameserver Issues' started by sehh, Jan 9, 2009.

  1. sehh

    sehh Well-Known Member

    Feb 11, 2006
    Likes Received:
    Trophy Points:
    The changelog says that EDGE was updated with "Set "UseDNS no" in sshd_config when cPHulkd is enabled", what is this change about? UseDNS checks the remote IP address resolves properly.
  2. Darren

    Darren Well-Known Member
    Staff Member

    Dec 26, 2001
    Likes Received:
    Trophy Points:
    Houston, TX
    If UseDNS is enabled, it sends the resolved domain name rather than the IP to PAM, which is what cPHulkd reads from when determining whether a login attempt is part of a brute force attempt or not. The problem with this is with whitelisting IPs; if PAM would pass the IP along with any resolved domain name, then we could resolve the domain to it's A records (if more than one) and verify at least one matches the IP it's connecting from. Alas, all we get is a domain that an attacker could set up to fake and get whitelisted. Consider the following scenario:

    Attacker has control over rdns on and NS for baddom.tld .
    Admin has whitelisted in WHM for cPHulkd.
    Attacker sets up to return a PTR with baddom.tld , then sets up an A record for baddom.tld to .
    Attacker brute forces root login on Admin's server and gets away with it, because when the Attacker connects from, the Admin's server resolves to baddom.tld and sends baddom.tld to cPHulkd. cPHulkd then resolves baddom.tld to an IP to check against the whitelist and finds, which matches and is allowed to carry on.

    We'll probably modify it somewhat in the near future to be configurable in case an Admin really want's it on, more than using whitelists with cPHulkd.

Share This Page