Bug 227357 - SYSLOGD_OPTIONS excludes "-x" by default.
Summary: SYSLOGD_OPTIONS excludes "-x" by default.
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: sysklogd
Version: 6
Hardware: i386
OS: Linux
medium
low
Target Milestone: ---
Assignee: Peter Vrabec
QA Contact: Brian Brock
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-02-05 16:23 UTC by John Holmstadt
Modified: 2007-11-30 22:11 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2007-02-21 17:09:47 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description John Holmstadt 2007-02-05 16:23:43 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1

Description of problem:
I noticed recently that I had been getting  alot of connection attempts to my vsftpd service, which had been being logged to /var/log/secure. However, the rhost field was useless in identifying the offending IP...

Feb  4 22:19:07 myhost vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=info rhost=oa

The hostname "oa" obviously will not resolve to an IP as it isn't a FQDN. I found several other similar attempts to gain access to my server using similarly obscured reverse hostname lookups. I have changed my /etc/sysconfig/syslog file to  include "-x" in the SYSLOGD_OPTIONS field, however, it seems to me that either "-x" should be the default option here, or syslog should automatically recognize that a hostname such as "oa" isn't a valid FQDN, and shouldn't be used in the log. If not, people cannot properly respond to similar attacks unless they, after the fact, change their syslog options.

Version-Release number of selected component (if applicable):
sysklogd-1.4.1-41.fc6

How reproducible:
Always


Steps to Reproduce:
1. Give an IP an improperly formatted PTR record.
2. Attempt a connection from that IP
3. Attempt to determine that IP using only information from /var/log/secure

Actual Results:
The hostname is logged, but the logged hostname is useless in determining the IP of the offender.

Expected Results:
Either the IP should be logged by default, or syslog should recognize that the PTR lookup doesn't match with the A record lookup, and log the IP instead.

Additional info:

Comment 1 John Holmstadt 2007-02-21 17:09:47 UTC
Nevermind. My understanding of the switch was incorrect.


Note You need to log in before you can comment on or make changes to this bug.