Security Basics mailing list archives
logging hostnames instead of IP addresses is a potential weak points in identifying attacks
From: "Ventsislav Genchev" <vigour1 () gmail com>
Date: Fri, 21 Mar 2008 15:09:36 +0200
So far I had no worries identifying sources of brute force attacks, but today I saw a very strange, at first look, record: --- vsftpd: Unknown Entries: check pass; user unknown: 79167 Time(s) authentication failure; logname= uid=0 euid=0 tty=ftp ruser=Admin rhost=. : 28628 Time(s) authentication failure; logname= uid=0 euid=0 tty=ftp ruser=Administrator rhost=. : 28598 Time(s) ---- Note the empty rhost. After a short investigation (looking at some other server's log files and dumping traffic) I realized that the source of those login attempts was an IP address with the following reverse record: 2.109.90.66.in-addr.arpa domain name pointer . (actually an empty reverse) If I hadn't access to other log files or the attack is not present at the moment, I would not have been able to locate the source. So any kind of hostname logging (at least according to me) is a weak point of identifying attacks of any kind and should be avoided. If any of you guys have similar experiences and/or solutions/workarounds, I would be very glad to read your lines. Best wishes, Ventsi
Current thread:
- logging hostnames instead of IP addresses is a potential weak points in identifying attacks Ventsislav Genchev (Mar 21)