LinuxQuestions.org
Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 04-24-2011, 11:58 AM   #1
cnmoore
Member
 
Registered: Sep 2010
Location: Sunnyvale, CA
Distribution: CentOS 5.5
Posts: 89

Rep: Reputation: 0
What is "gethostby*.getanswer: asked for.."


These showed up in my logwatch today. Never saw them before and haven't a clue what they are. No idea what ip130.208-100-19.vswitch.static.steadfast.net is or what gethostby is.

Under SSHD

Code:
 **Unmatched Entries**
 gethostby*.getanswer: asked for "ip130.208-100-19.vswitch.static.steadfast.net  IN A", got type "39" : 6 time(s)
 Address 85.17.189.146 maps to hosted-by.leaseweb.com , but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT! : 2 time(s)
 gethostby*.getanswer: asked for "ip130.208-100-19.vswitch.static.steadfast.net  IN AAAA", got type "39" : 4 time(s)
What's happening here? And what is type "39"? (I trust that it means "Error! go away!")

And where can I read up on this? Thanks -

Last edited by cnmoore; 04-24-2011 at 12:15 PM.
 
Old 04-25-2011, 06:41 PM   #2
Tinkster
Moderator
 
Registered: Apr 2002
Location: in a fallen world
Distribution: slackware by choice, others too :} ... android.
Posts: 23,067
Blog Entries: 11

Rep: Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910
What it boils down to is that the guys at static.steadfast.net/leaseweb.com seem to be
using a not yet wholly codified DNS mechanism, one that's not fully satisfying clarity;
the way I see it DNAMEs are bad; others will debate that in favour of the few benefits
they provide.

Form your own opinion, read:
http://en.wikipedia.org/wiki/List_of_DNS_record_types
and
http://tools.ietf.org/html/rfc2672
http://tools.ietf.org/html/rfc4592#page-16



Cheers,
Tink

Last edited by Tinkster; 04-25-2011 at 06:42 PM.
 
1 members found this post helpful.
Old 04-25-2011, 07:17 PM   #3
cnmoore
Member
 
Registered: Sep 2010
Location: Sunnyvale, CA
Distribution: CentOS 5.5
Posts: 89

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by Tinkster View Post
What it boils down to is that the guys at static.steadfast.net/leaseweb.com seem to be
using a not yet wholly codified DNS mechanism, one that's not fully satisfying clarity;
the way I see it DNAMEs are bad; others will debate that in favour of the few benefits
they provide.

Form your own opinion, read:
http://en.wikipedia.org/wiki/List_of_DNS_record_types
and
http://tools.ietf.org/html/rfc2672
http://tools.ietf.org/html/rfc4592#page-16



Cheers,
Tink
Thanks, Tink.
But my newbie question is: what was the site trying to do? Why is this under SSHD? Were they trying to log in via SSH? (which would have been rejected) And what is code "39"? Is there a place that lists the codes?
 
Old 04-25-2011, 10:26 PM   #4
Tinkster
Moderator
 
Registered: Apr 2002
Location: in a fallen world
Distribution: slackware by choice, others too :} ... android.
Posts: 23,067
Blog Entries: 11

Rep: Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910
39 is explained in the first link I posted.

Why those people are trying to connect to your server I cannot answer. Is
there anything ELSE in sshd log that pertains to those IPs?

Or are you trying to ssh to them?
 
Old 04-25-2011, 11:00 PM   #5
cnmoore
Member
 
Registered: Sep 2010
Location: Sunnyvale, CA
Distribution: CentOS 5.5
Posts: 89

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by Tinkster View Post
39 is explained in the first link I posted.
Aha! I see now. Those are DNS codes.

Quote:
Why those people are trying to connect to your server I cannot answer. Is
there anything ELSE in sshd log that pertains to those IPs?
Yes:
Code:
--------------------- SSHD Begin ------------------------

 Failed logins from:
   85.17.189.146 (hosted-by.leaseweb.com ): 2 times
      root/password: 2 times
   208.100.19.130 (ip130.208-100-19.vswitch.static.steadfast.net ): 2 times
      root/password: 2 times
So SSHD does a DNS lookup on every failed login? And gethostby() is the function it calls to do that?
(Extensive search for gethostby yielded a lot of hits but no enlightenment).
 
Old 04-26-2011, 01:02 AM   #6
Tinkster
Moderator
 
Registered: Apr 2002
Location: in a fallen world
Distribution: slackware by choice, others too :} ... android.
Posts: 23,067
Blog Entries: 11

Rep: Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910
Yup & yup ... unless DNS causes too much traffic, and you tell sshd not to by
disabling that feature by editing sshd_config, and setting UseDNS no.



Cheers,
Tink

Last edited by Tinkster; 04-26-2011 at 03:48 PM. Reason: grammar
 
1 members found this post helpful.
Old 04-26-2011, 02:01 AM   #7
cnmoore
Member
 
Registered: Sep 2010
Location: Sunnyvale, CA
Distribution: CentOS 5.5
Posts: 89

Original Poster
Rep: Reputation: 0
Thanks so much for your help to my understanding. I love this forum.
Cheers,
Coly
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
net working eth0 eth1 wlan0 "no connection" "no LAN" "no wi-fi" Cayitano Linux - Newbie 5 12-09-2007 08:11 PM
Standard commands give "-bash: open: command not found" even in "su -" and "su root" mibo12 Linux - General 4 11-11-2007 11:18 PM
"Xlib: extension "XFree86-DRI" missing on display ":0.0"." zaps Linux - Games 9 05-14-2007 04:07 PM
LXer: Displaying "MyComputer", "Trash", "Network Servers" Icons On A GNOME Desktop LXer Syndicated Linux News 0 04-02-2007 09:31 AM
LXer: Delaware Court is asked to Define "FRAND" LXer Syndicated Linux News 0 08-14-2006 05:21 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 07:07 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration