On Fri, Sep 07, 2001 at 03:38:27PM -0600, Matthew S . Hallacy wrote: > Howdy, > > Recently while browsing through security logs I noticed that quite a few of the hosts > connecting to the machine did not resolve, I've checked into it, and apparently ProFTPd does > not check forward to reverse DNS mappings, and only resolves the IP address connecting. This > could easily lead to an attacker hiding his real hostname from logfiles, or an attacker > slipping through ACL's by modifying their hostname. For the time being I recommend that the > option 'UseReverseDNS' be disabled in the configuration file until this is fixed. Any network server should log the IP of all incoming connections. Also resolving the reverse name for that IP can be informative, but is never as relevant as the IP. Even if you do check forward and reverse mappings, DNS is easier to spoof then a real TCP session. Also, an attacker might arrange for a reverse and forward mapping with a very low TTL, and after the attack make sure those point somewhere else. The mantra is simple: log IPs. Always. Greetz, Peter -- Monopoly http://www.dataloss.nl/monopoly.html
This archive was generated by hypermail 2b30 : Sat Sep 08 2001 - 12:43:09 PDT