Date: Mon, 23 Jul 2001 01:25:17 +0100 From: Brian Somers <brian@Awfulhak.org> To: "Jeroen Massar" <jeroen@unfix.org> Cc: "'Matt Dillon'" <dillon@earth.backplane.com>, "'Hajimu UMEMOTO'" <ume@mahoroba.org>, aschneid@mail.slc.edu, brian@Awfulhak.org, ras@e-gerbil.net, roam@orbitel.bg, freebsd-security@FreeBSD.ORG, freebsd-gnats-submit@FreeBSD.ORG, brian@Awfulhak.org Subject: Re: bin/22595: telnetd tricked into using arbitrary peer ip Message-ID: <200107230025.f6N0PHg12049@hak.lan.Awfulhak.org> In-Reply-To: Message from "Jeroen Massar" <jeroen@unfix.org> of "Mon, 23 Jul 2001 01:58:33 %2B0200." <000701c1130a$393e27e0$420d640a@HELL>
next in thread | previous in thread | raw e-mail | index | archive | help
> Even then.... IMHO one should log both hostname _AND_ IP... I don't think that's necessary. > Following situation: > > 23 June 2001 - I log into a machine from 10.1.2.3 which maps to > bla.example.com which points to 10.1.2.3 thus bla.example.com is > logged... > 24 June 2001 - The bla.example.com A is changed to 192.168.2.1, > 192.168.2.1 gets pointed back to bla.example.com... > > Now I actually did very evil things with that box on the 23rd.... So the > admin of the box wants to hunt me down and checks his/her/it's logs: > Ooe..... that evil user came from 'bla.example.com' let's find out > his/her/it's IP....aha 192.168.2.1 <-------- OOOPS... Not even the same > provider I actually came from to do all those very evil things... > > So long for your 'nice' loggin facility... (and thanks for all the > fish... :) I know... It's been there for a long time and over many many > unices but that doesn't say it's still acceptable... The owner of what's logged will know the answer -- in this case, talking to the admins of bla.example.com will result in them saying ``ah, that box had it's IP number changed''. I think the way this is done is as appropriate as it ever was. > Only storing the IP is useless too ofcourse.. Because then you never > know what the old hostname (for which you actually accepted) was... > Especially if you got /etc/hosts.allow with the old reverse in it, but > not the new one etc... Your tcp-wrapper rules are subject to the same DNS confusion as the utmp file is, but I don't think there's anything wrong with that. If you don't trust the admin of example.com, then block the whole domain :) But that's another argument^Wdiscussion.... > Greets, > Jeroen -- Brian <brian@freebsd-services.com> <brian@Awfulhak.org> http://www.freebsd-services.com/ <brian@[uk.]FreeBSD.org> Don't _EVER_ lose your sense of humour ! <brian@[uk.]OpenBSD.org> To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200107230025.f6N0PHg12049>