[22608] in bugtraq
Re: ProFTPd and reverse DNS
daemon@ATHENA.MIT.EDU (Karsten W. Rohrbach)
Tue Sep 11 17:59:59 2001
Date: Tue, 11 Sep 2001 20:13:38 +0200
From: "Karsten W. Rohrbach" <karsten@rohrbach.de>
To: "Matthew S . Hallacy" <poptix@techmonkeys.org>
Cc: bugtraq@securityfocus.com
Message-ID: <20010911201338.H48914@mail.webmonster.de>
Mail-Followup-To: "Karsten W. Rohrbach" <karsten@rohrbach.de>,
"Matthew S . Hallacy" <poptix@techmonkeys.org>,
bugtraq@securityfocus.com
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5;
protocol="application/pgp-signature"; boundary="8S1fMsFYqgBC+BN/"
Content-Disposition: inline
In-Reply-To: <20010907153827.P20505@techmonkeys.org>; from poptix@techmonkeys.org on Fri, Sep 07, 2001 at 03:38:27PM -0600
--8S1fMsFYqgBC+BN/
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Matthew S . Hallacy(poptix@techmonkeys.org)@2001.09.07 15:38:27 +0000:
> Howdy,
>=20
> Recently while browsing through security logs I noticed that quite a few=
of the hosts
> connecting to the machine did not resolve, I've checked into it, and appa=
rently ProFTPd does
> not check forward to reverse DNS mappings, and only resolves the IP addre=
ss connecting. This
> could easily lead to an attacker hiding his real hostname from logfiles, =
or an attacker=20
> slipping through ACL's by modifying their hostname. For the time being I =
recommend that the
> option 'UseReverseDNS' be disabled in the configuration file until this i=
s fixed.
>=20
> Unfortunately I was not able to contact anyone to discuss this, as www.pr=
oftpd.org has been
> down for the past 4-5 days that I've tried it, the version tested was 1.2=
.2rc2.
if you happen to run an inetd-capable ftp daemon, use tcpserver as a
frontend [http://cr.yp.to/ucspi-tcp.html] which allows you to do very
paranoid checking and also good logging (with multilog of the
daemontools package).
you might check the -p option to tcpserver, as well as the magic rules
for tcprules files (acl files) for it. together with the -p optionto
tcpserver and the lines
=3D:allow
:deny
in your tcprules file, you drop not reverse resolvable adresses. do not
do this for anon ftp servers.
rule explanations at [http://cr.yp.to/ucspi-tcp/tcprules.html]
cheers,
/k
--=20
> Yes, it is inconvenient. Security and convenience are usually mutually
> exclusive concepts. --Erik Trulsson on freebsd-stable, Jun 2001
KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie
http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n=
et/
karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de
GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B=
F46
Please do not remove my address from To: and Cc: fields in mailing lists. 1=
0x
--8S1fMsFYqgBC+BN/
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org
iD8DBQE7nlRSM0BPTilkv0YRAhVmAJ0b1p7TRvNCzLMhJnXva+74L5SkuACfatgZ
gRjXaTqaTfXLCT3AEaJPrTw=
=dcTL
-----END PGP SIGNATURE-----
--8S1fMsFYqgBC+BN/--
