Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 227357 - SYSLOGD_OPTIONS excludes "-x" by default.
Summary: SYSLOGD_OPTIONS excludes "-x" by default.
Alias: None
Product: Fedora
Classification: Fedora
Component: sysklogd
Version: 6
Hardware: i386
OS: Linux
Target Milestone: ---
Assignee: Peter Vrabec
QA Contact: Brian Brock
Depends On:
TreeView+ depends on / blocked
Reported: 2007-02-05 16:23 UTC by John Holmstadt
Modified: 2007-11-30 22:11 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2007-02-21 17:09:47 UTC

Attachments (Terms of Use)

Description John Holmstadt 2007-02-05 16:23:43 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20061204 Firefox/

Description of problem:
I noticed recently that I had been getting  alot of connection attempts to my vsftpd service, which had been being logged to /var/log/secure. However, the rhost field was useless in identifying the offending IP...

Feb  4 22:19:07 myhost vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=info rhost=oa

The hostname "oa" obviously will not resolve to an IP as it isn't a FQDN. I found several other similar attempts to gain access to my server using similarly obscured reverse hostname lookups. I have changed my /etc/sysconfig/syslog file to  include "-x" in the SYSLOGD_OPTIONS field, however, it seems to me that either "-x" should be the default option here, or syslog should automatically recognize that a hostname such as "oa" isn't a valid FQDN, and shouldn't be used in the log. If not, people cannot properly respond to similar attacks unless they, after the fact, change their syslog options.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Give an IP an improperly formatted PTR record.
2. Attempt a connection from that IP
3. Attempt to determine that IP using only information from /var/log/secure

Actual Results:
The hostname is logged, but the logged hostname is useless in determining the IP of the offender.

Expected Results:
Either the IP should be logged by default, or syslog should recognize that the PTR lookup doesn't match with the A record lookup, and log the IP instead.

Additional info:

Comment 1 John Holmstadt 2007-02-21 17:09:47 UTC
Nevermind. My understanding of the switch was incorrect.

Note You need to log in before you can comment on or make changes to this bug.