Bug 227357 - SYSLOGD_OPTIONS excludes "-x" by default.
SYSLOGD_OPTIONS excludes "-x" by default.
Product: Fedora
Classification: Fedora
Component: sysklogd (Show other bugs)
i386 Linux
medium Severity low
: ---
: ---
Assigned To: Peter Vrabec
Brian Brock
Depends On:
  Show dependency treegraph
Reported: 2007-02-05 11:23 EST by John Holmstadt
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-02-21 12:09:47 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description John Holmstadt 2007-02-05 11:23:43 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20061204 Firefox/

Description of problem:
I noticed recently that I had been getting  alot of connection attempts to my vsftpd service, which had been being logged to /var/log/secure. However, the rhost field was useless in identifying the offending IP...

Feb  4 22:19:07 myhost vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=info rhost=oa

The hostname "oa" obviously will not resolve to an IP as it isn't a FQDN. I found several other similar attempts to gain access to my server using similarly obscured reverse hostname lookups. I have changed my /etc/sysconfig/syslog file to  include "-x" in the SYSLOGD_OPTIONS field, however, it seems to me that either "-x" should be the default option here, or syslog should automatically recognize that a hostname such as "oa" isn't a valid FQDN, and shouldn't be used in the log. If not, people cannot properly respond to similar attacks unless they, after the fact, change their syslog options.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Give an IP an improperly formatted PTR record.
2. Attempt a connection from that IP
3. Attempt to determine that IP using only information from /var/log/secure

Actual Results:
The hostname is logged, but the logged hostname is useless in determining the IP of the offender.

Expected Results:
Either the IP should be logged by default, or syslog should recognize that the PTR lookup doesn't match with the A record lookup, and log the IP instead.

Additional info:
Comment 1 John Holmstadt 2007-02-21 12:09:47 EST
Nevermind. My understanding of the switch was incorrect.

Note You need to log in before you can comment on or make changes to this bug.