Date: Mon, 23 Jul 2001 03:15:59 +0200 From: "Jeroen Massar" <jeroen@unfix.org> To: "'Brian Somers'" <brian@Awfulhak.org> Cc: "'Matt Dillon'" <dillon@earth.backplane.com>, "'Hajimu UMEMOTO'" <ume@mahoroba.org>, <aschneid@mail.slc.edu>, <ras@e-gerbil.net>, <roam@orbitel.bg>, <freebsd-security@FreeBSD.ORG>, <freebsd-gnats-submit@FreeBSD.ORG> Subject: RE: bin/22595: telnetd tricked into using arbitrary peer ip Message-ID: <000f01c11315$094851e0$420d640a@HELL> In-Reply-To: <200107230025.f6N0PHg12049@hak.lan.Awfulhak.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Behalf Of Brian Somers <brian@awfulhak.org> wrote: > > > Even then.... IMHO one should log both hostname _AND_ IP... That's why I put the IMHO in there ;) > > I don't think that's necessary. > > > Following situation: > > > > 23 June 2001 - I log into a machine from 10.1.2.3 which maps to > > bla.example.com which points to 10.1.2.3 thus bla.example.com is > > logged... > > 24 June 2001 - The bla.example.com A is changed to 192.168.2.1, > > 192.168.2.1 gets pointed back to bla.example.com... > > > > Now I actually did very evil things with that box on the > 23rd.... So the > > admin of the box wants to hunt me down and checks his/her/it's logs: > > Ooe..... that evil user came from 'bla.example.com' let's find out > > his/her/it's IP....aha 192.168.2.1 <-------- OOOPS... Not > even the same > > provider I actually came from to do all those very evil things... > > > > So long for your 'nice' loggin facility... (and thanks for all the > > fish... :) I know... It's been there for a long time and > over many many > > unices but that doesn't say it's still acceptable... > > The owner of what's logged will know the answer -- in this case, > talking to the admins of bla.example.com will result in them saying > ``ah, that box had it's IP number changed''. I think the way this is > done is as appropriate as it ever was. Hmm... Okay.... Kind of bad reasoning.... But unless logsize is in question I don't think nobody will object to having both the IP and hostname in the file... Surely because of the confusion part... And the fact that an evil admin won't reply, but that will give the same problems :) And probably an admin doesn't even know where the host was before as they either work in teams or maybe could have been put there temporary by another evil intruder or something :) Now if that isn't farfetched <grin> > > Only storing the IP is useless too ofcourse.. Because then you never > > know what the old hostname (for which you actually accepted) was... > > Especially if you got /etc/hosts.allow with the old reverse > in it, but > > not the new one etc... > > Your tcp-wrapper rules are subject to the same DNS confusion as the > utmp file is, but I don't think there's anything wrong with that. If > you don't trust the admin of example.com, then block the whole domain > :) But that's another argument^Wdiscussion.... <grin> Problem being... hacked stuff.... blabla... other discussion :) At least we are now at the point where everybody (it is everybody not? :) sees that the logging is doing very wrong (SUX :) things... :) About the API thing..... Check the other mail... I also suggested it there... One thing that should be considered to be done if an API is created... : make a backport to previous versions of FreeBSD and actually *BSD/Linux/* :) This also encourages program writers/maintainers to adopt it quicker, as it's less hassle for them and they don't have to make the "pre-FreeBSD-5" case or something... And the best thing of an API (if done right :): seperation of the back and the frontend... which makes changes like this even easier... Greets, Jeroen To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?000f01c11315$094851e0$420d640a>