From Bugzilla Helper: User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1 Description of problem: I noticed recently that I had been getting alot of connection attempts to my vsftpd service, which had been being logged to /var/log/secure. However, the rhost field was useless in identifying the offending IP... Feb 4 22:19:07 myhost vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=info rhost=oa The hostname "oa" obviously will not resolve to an IP as it isn't a FQDN. I found several other similar attempts to gain access to my server using similarly obscured reverse hostname lookups. I have changed my /etc/sysconfig/syslog file to include "-x" in the SYSLOGD_OPTIONS field, however, it seems to me that either "-x" should be the default option here, or syslog should automatically recognize that a hostname such as "oa" isn't a valid FQDN, and shouldn't be used in the log. If not, people cannot properly respond to similar attacks unless they, after the fact, change their syslog options. Version-Release number of selected component (if applicable): sysklogd-1.4.1-41.fc6 How reproducible: Always Steps to Reproduce: 1. Give an IP an improperly formatted PTR record. 2. Attempt a connection from that IP 3. Attempt to determine that IP using only information from /var/log/secure Actual Results: The hostname is logged, but the logged hostname is useless in determining the IP of the offender. Expected Results: Either the IP should be logged by default, or syslog should recognize that the PTR lookup doesn't match with the A record lookup, and log the IP instead. Additional info:
Nevermind. My understanding of the switch was incorrect.