RCODE (REFUSED)

Marcus N. Morgan marcus at ufl.edu
Wed Mar 1 13:50:03 UTC 2006


most probably you are being explored to see if you have any open userids
that are accessable via ssh.  the refused message is from the attempt by 
the sshd or wrapper program to resolve the ptr record associated with the
incoming connection.

I suggest that you limit ssh access to those really needing it.  You can
do this easily with tcpwrappers, ipfilters, or via acl in the adjacent 
router.

-Marcus

On Wed, 1 Mar 2006, Harry Putnam wrote:
> 
> Running bind-9.3.2
> I'm seeing quite a few lines like this in logs:
> (wrapped for mail)
>
>  Feb 28 22:15:14 reader named[28465]: unexpected RCODE (REFUSED)
>   resolving '60.206.94.211.in-addr.arpa/PTR/IN': 211.94.193.129#53
>
> I might not have paid too much attention to that if it weren't for
> this little item right next to it:
>
>  Feb 28 22:15:18 reader sshd[3335]: Invalid user admin from
>    211.94.206.60
>
> This was a logsentry report, not the actual log so those lines
> appeared next to each other.
>
> Is the first a prelude in some way to an ssh hack of somekind?
>
>

Marcus N. Morgan
OIT/CNS/Network Services
marcus at ufl.edu
352 392 2061 suncomm 622 2061



More information about the bind-users mailing list