wahlis <wahlis@gmail.com> wrote:
> Like everybody I have a million of those braindead brute force ssh
> attacks towards my machine, so normally I don't care about this type of
> errors. But to me the log entry below caught my attention.
>
> Nov 21 18:53:31 server sshd[9798]: warning: /etc/hosts.allow, line 14:
> host name/name mismatch: unknown.Level3.net != www.Level3.com
> Nov 21 18:53:32 server sshd[9798]: Address 63.211.110.162 maps to
> unknown.level3.net, but this does not map back to the address -
> POSSIBLE BREAKIN ATTEMPT!
> Nov 21 18:53:32 server sshd[9798]: Failed password for root from
> 63.211.110.162 port 36670 ssh2
> Nov 21 18:53:32 server sshd[9799]: Failed password for root from
> 63.211.110.162 port 36670 ssh2
>
> On line 14 in hosts.allow there is the entry ALL: [my.private.server]
>
> Does the log entry say that it tried to reverse lookup to find a match
> against line 14 but broke down, or is this some new hack to bypass
> tcpwrappers?

You are seeing a reverse lookup failure. Dig suggests misconfigured
DNS records:

162.110.211.63.in-addr.arpa. 1H IN PTR unknown.Level3.net.
unknown.Level3.net. 1H IN CNAME www.Level3.com.
www.Level3.com. 1H IN A 4.68.95.10

I have no idea what 63.211.110.162 is now, but it refuses connections
on port 80, so probably is not a web server. :)

--
John Wingate Mathematics is the art which teaches
johnww@worldpath.net one how not to make calculations.
--Oscar Chisini