Bug 227357

Summary: SYSLOGD_OPTIONS excludes "-x" by default.
Product: [Fedora] Fedora Reporter: John Holmstadt <rhbz001>
Component: sysklogdAssignee: Peter Vrabec <pvrabec>
Status: CLOSED NOTABUG QA Contact: Brian Brock <bbrock>
Severity: low Docs Contact:
Priority: medium    
Version: 6   
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-02-21 17:09:47 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description John Holmstadt 2007-02-05 16:23:43 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1

Description of problem:
I noticed recently that I had been getting  alot of connection attempts to my vsftpd service, which had been being logged to /var/log/secure. However, the rhost field was useless in identifying the offending IP...

Feb  4 22:19:07 myhost vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=info rhost=oa

The hostname "oa" obviously will not resolve to an IP as it isn't a FQDN. I found several other similar attempts to gain access to my server using similarly obscured reverse hostname lookups. I have changed my /etc/sysconfig/syslog file to  include "-x" in the SYSLOGD_OPTIONS field, however, it seems to me that either "-x" should be the default option here, or syslog should automatically recognize that a hostname such as "oa" isn't a valid FQDN, and shouldn't be used in the log. If not, people cannot properly respond to similar attacks unless they, after the fact, change their syslog options.

Version-Release number of selected component (if applicable):
sysklogd-1.4.1-41.fc6

How reproducible:
Always


Steps to Reproduce:
1. Give an IP an improperly formatted PTR record.
2. Attempt a connection from that IP
3. Attempt to determine that IP using only information from /var/log/secure

Actual Results:
The hostname is logged, but the logged hostname is useless in determining the IP of the offender.

Expected Results:
Either the IP should be logged by default, or syslog should recognize that the PTR lookup doesn't match with the A record lookup, and log the IP instead.

Additional info:
Comment 1 John Holmstadt 2007-02-21 17:09:47 UTC 
Nevermind. My understanding of the switch was incorrect.