[22575] in bugtraq
Re: ProFTPd and reverse DNS
daemon@ATHENA.MIT.EDU (Peter van Dijk)
Sat Sep 8 15:47:44 2001
Date: Sat, 8 Sep 2001 12:35:25 +0200
From: Peter van Dijk <peter@dataloss.nl>
To: bugtraq@securityfocus.com
Message-ID: <20010908123525.D93229@dataloss.nl>
Mail-Followup-To: bugtraq@securityfocus.com
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20010907153827.P20505@techmonkeys.org>; from poptix@techmonkeys.org on Fri, Sep 07, 2001 at 03:38:27PM -0600
On Fri, Sep 07, 2001 at 03:38:27PM -0600, Matthew S . Hallacy wrote:
> Howdy,
>
> Recently while browsing through security logs I noticed that quite a few of the hosts
> connecting to the machine did not resolve, I've checked into it, and apparently ProFTPd does
> not check forward to reverse DNS mappings, and only resolves the IP address connecting. This
> could easily lead to an attacker hiding his real hostname from logfiles, or an attacker
> slipping through ACL's by modifying their hostname. For the time being I recommend that the
> option 'UseReverseDNS' be disabled in the configuration file until this is fixed.
Any network server should log the IP of all incoming connections. Also
resolving the reverse name for that IP can be informative, but is
never as relevant as the IP.
Even if you do check forward and reverse mappings, DNS is easier to
spoof then a real TCP session. Also, an attacker might arrange for a
reverse and forward mapping with a very low TTL, and after the attack
make sure those point somewhere else.
The mantra is simple: log IPs. Always.
Greetz, Peter
--
Monopoly http://www.dataloss.nl/monopoly.html
