From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:126.96.36.199) Gecko/20061204 Firefox/188.8.131.52
Description of problem:
I noticed recently that I had been getting alot of connection attempts to my vsftpd service, which had been being logged to /var/log/secure. However, the rhost field was useless in identifying the offending IP...
Feb 4 22:19:07 myhost vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=info rhost=oa
The hostname "oa" obviously will not resolve to an IP as it isn't a FQDN. I found several other similar attempts to gain access to my server using similarly obscured reverse hostname lookups. I have changed my /etc/sysconfig/syslog file to include "-x" in the SYSLOGD_OPTIONS field, however, it seems to me that either "-x" should be the default option here, or syslog should automatically recognize that a hostname such as "oa" isn't a valid FQDN, and shouldn't be used in the log. If not, people cannot properly respond to similar attacks unless they, after the fact, change their syslog options.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Give an IP an improperly formatted PTR record.
2. Attempt a connection from that IP
3. Attempt to determine that IP using only information from /var/log/secure
The hostname is logged, but the logged hostname is useless in determining the IP of the offender.
Either the IP should be logged by default, or syslog should recognize that the PTR lookup doesn't match with the A record lookup, and log the IP instead.
Nevermind. My understanding of the switch was incorrect.