UnixServerAdmin

Server Administration & Management

How to Prevent hostname lookups with OpenSSH

When you connect to an OpenSSH sshd server, it is configured by default to do a hostname lookup on your IP address.
If there are any issues with the DNS configuration on the host machine, or with the DNS server it is using, this can lead to a delay when logging in using ssh for around 30 seconds and making this change may introduce a security risk as full checking is no longer done on the hostname and IP address. It is very easy to switch this host name lookup function off in the sshd_config file.

On most Linux distributions, the sshd_config file will be at /etc/ssh/sshd_config,

UseDNS no

This is correct for recent versions of sshd but older versions might use the following configuration option instead

VerifyReverseMapping yes

After making the above change to the configuration file, it’s simply a matter of reloading the SSH daemon.

# /etc/init.d/sshd restart

UseDNS – Specifies whether sshd should look up the remote host name and check that the resolved host name
for the remote IP address maps back to the very same IP address. The default is “yes”.

Advertisements

February 19, 2011 - Posted by | Security, SSH | , ,

1 Comment »

  1. Many thanks for unveiling these details. I believe that it is extremely beneficial and will share it to friends, too. If you keep on writing concerning this subject I definitely will keep on reading your upcoming articles.

    Comment by great water filters | June 16, 2011 | Reply


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: