Tuesday, July 6, 2010

stop sshd from doing reverse lookups

When you've a DMZ, there's nothing more painful than your hosts trying to do a reverse lookup for a system of which they've no knowledge.  So, halting sshd from doing reverse DNS lookups will speed things along.

In /etc/ssh/sshd_config file, the default answer is yes; and if this line not shown in the config file, add it:
UseDNS no

By default, this directive tells the sshd process to check resolved host name for the connected client's IP address maps back to the very same IP address or not.  "no" tells it to do the opposite. 

Older sshd daemons use:
VerifyReverseMapping no


However, it does not prevent the sshd server from performing any DNS lookups at all. That's not the purpose of that directive.  In order to remove DNS lookups completely, you have to use  the -u0 option when starting sshd server. So...

On RHEL, in /etc/sysconfig/sshd add:
OPTIONS="-u0"

On SLES boxes, in /etc/sysconfig/ssh add:
SSHD_OPTS="-u0"


On Ubuntu boxes, in /etc/default/ssh add:
SSHD_OPTS="-u0"


This option will has the sshd daemon not put hostnames into the utmp structure (what you see when you type "who" at the shell prompt) - which means that sshd will not perform DNS lookups for that purpose. However (there's always a however) there are still cases where a lookup has to be performed, such as when a user has
"from="

and like entries in the authorized_keys file, or when authentication methods or configuration directives are used that involve hostnames.  Keeping that in mid...
Post a Comment