Date: Mon, 23 Jul 2001 01:25:17 +0100 From: Brian Somers <brian@Awfulhak.org> To: "Jeroen Massar" <jeroen@unfix.org> Cc: "'Matt Dillon'" <dillon@earth.backplane.com>, "'Hajimu UMEMOTO'" <ume@mahoroba.org>, aschneid@mail.slc.edu, brian@Awfulhak.org, ras@e-gerbil.net, roam@orbitel.bg, freebsd-security@FreeBSD.ORG, freebsd-gnats-submit@FreeBSD.ORG, brian@Awfulhak.org Subject: Re: bin/22595: telnetd tricked into using arbitrary peer ip Message-ID: <200107230025.f6N0PHg12049@hak.lan.Awfulhak.org> In-Reply-To: Message from "Jeroen Massar" <jeroen@unfix.org> of "Mon, 23 Jul 2001 01:58:33 %2B0200." <000701c1130a$393e27e0$420d640a@HELL>
next in thread | previous in thread | raw e-mail | index | archive | help
> Even then.... IMHO one should log both hostname _AND_ IP...
I don't think that's necessary.
> Following situation:
>
> 23 June 2001 - I log into a machine from 10.1.2.3 which maps to
> bla.example.com which points to 10.1.2.3 thus bla.example.com is
> logged...
> 24 June 2001 - The bla.example.com A is changed to 192.168.2.1,
> 192.168.2.1 gets pointed back to bla.example.com...
>
> Now I actually did very evil things with that box on the 23rd.... So the
> admin of the box wants to hunt me down and checks his/her/it's logs:
> Ooe..... that evil user came from 'bla.example.com' let's find out
> his/her/it's IP....aha 192.168.2.1 <-------- OOOPS... Not even the same
> provider I actually came from to do all those very evil things...
>
> So long for your 'nice' loggin facility... (and thanks for all the
> fish... :) I know... It's been there for a long time and over many many
> unices but that doesn't say it's still acceptable...
The owner of what's logged will know the answer -- in this case,
talking to the admins of bla.example.com will result in them saying
``ah, that box had it's IP number changed''. I think the way this is
done is as appropriate as it ever was.
> Only storing the IP is useless too ofcourse.. Because then you never
> know what the old hostname (for which you actually accepted) was...
> Especially if you got /etc/hosts.allow with the old reverse in it, but
> not the new one etc...
Your tcp-wrapper rules are subject to the same DNS confusion as the
utmp file is, but I don't think there's anything wrong with that. If
you don't trust the admin of example.com, then block the whole domain
:) But that's another argument^Wdiscussion....
> Greets,
> Jeroen
--
Brian <brian@freebsd-services.com> <brian@Awfulhak.org>
http://www.freebsd-services.com/ <brian@[uk.]FreeBSD.org>
Don't _EVER_ lose your sense of humour ! <brian@[uk.]OpenBSD.org>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200107230025.f6N0PHg12049>