From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1

Description of problem:
I noticed recently that I had been getting  alot of connection attempts to my vsftpd service, which had been being logged to /var/log/secure. However, the rhost field was useless in identifying the offending IP...

Feb  4 22:19:07 myhost vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=info rhost=oa

The hostname "oa" obviously will not resolve to an IP as it isn't a FQDN. I found several other similar attempts to gain access to my server using similarly obscured reverse hostname lookups. I have changed my /etc/sysconfig/syslog file to  include "-x" in the SYSLOGD_OPTIONS field, however, it seems to me that either "-x" should be the default option here, or syslog should automatically recognize that a hostname such as "oa" isn't a valid FQDN, and shouldn't be used in the log. If not, people cannot properly respond to similar attacks unless they, after the fact, change their syslog options.

Version-Release number of selected component (if applicable):
sysklogd-1.4.1-41.fc6

How reproducible:
Always


Steps to Reproduce:
1. Give an IP an improperly formatted PTR record.
2. Attempt a connection from that IP
3. Attempt to determine that IP using only information from /var/log/secure

Actual Results:
The hostname is logged, but the logged hostname is useless in determining the IP of the offender.

Expected Results:
Either the IP should be logged by default, or syslog should recognize that the PTR lookup doesn't match with the A record lookup, and log the IP instead.

Additional info: