Matthew S . Hallacy(poptixat_private)@2001.09.07 15:38:27 +0000: > Howdy, > > Recently while browsing through security logs I noticed that quite a few of the hosts > connecting to the machine did not resolve, I've checked into it, and apparently ProFTPd does > not check forward to reverse DNS mappings, and only resolves the IP address connecting. This > could easily lead to an attacker hiding his real hostname from logfiles, or an attacker > slipping through ACL's by modifying their hostname. For the time being I recommend that the > option 'UseReverseDNS' be disabled in the configuration file until this is fixed. > > Unfortunately I was not able to contact anyone to discuss this, as www.proftpd.org has been > down for the past 4-5 days that I've tried it, the version tested was 1.2.2rc2. if you happen to run an inetd-capable ftp daemon, use tcpserver as a frontend [http://cr.yp.to/ucspi-tcp.html] which allows you to do very paranoid checking and also good logging (with multilog of the daemontools package). you might check the -p option to tcpserver, as well as the magic rules for tcprules files (acl files) for it. together with the -p optionto tcpserver and the lines =:allow :deny in your tcprules file, you drop not reverse resolvable adresses. do not do this for anon ftp servers. rule explanations at [http://cr.yp.to/ucspi-tcp/tcprules.html] cheers, /k -- > Yes, it is inconvenient. Security and convenience are usually mutually > exclusive concepts. --Erik Trulsson on freebsd-stable, Jun 2001 KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.net/ karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catchat_private GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 BF46 Please do not remove my address from To: and Cc: fields in mailing lists. 10x
This archive was generated by hypermail 2b30 : Tue Sep 11 2001 - 15:04:15 PDT