Bugtraq mailing list archives
Re: ProFTPd and reverse DNS
From: "Karsten W. Rohrbach" <karsten () rohrbach de>
Date: Tue, 11 Sep 2001 20:13:38 +0200
Matthew S . Hallacy(poptix () techmonkeys org)@2001.09.07 15:38:27 +0000:
Howdy, Recently while browsing through security logs I noticed that quite a few of the hosts connecting to the machine did not resolve, I've checked into it, and apparently ProFTPd does not check forward to reverse DNS mappings, and only resolves the IP address connecting. This could easily lead to an attacker hiding his real hostname from logfiles, or an attacker slipping through ACL's by modifying their hostname. For the time being I recommend that the option 'UseReverseDNS' be disabled in the configuration file until this is fixed. Unfortunately I was not able to contact anyone to discuss this, as www.proftpd.org has been down for the past 4-5 days that I've tried it, the version tested was 1.2.2rc2.
if you happen to run an inetd-capable ftp daemon, use tcpserver as a frontend [http://cr.yp.to/ucspi-tcp.html] which allows you to do very paranoid checking and also good logging (with multilog of the daemontools package). you might check the -p option to tcpserver, as well as the magic rules for tcprules files (acl files) for it. together with the -p optionto tcpserver and the lines =:allow :deny in your tcprules file, you drop not reverse resolvable adresses. do not do this for anon ftp servers. rule explanations at [http://cr.yp.to/ucspi-tcp/tcprules.html] cheers, /k --
Yes, it is inconvenient. Security and convenience are usually mutually exclusive concepts. --Erik Trulsson on freebsd-stable, Jun 2001
KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.net/ karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch () spam de GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 BF46 Please do not remove my address from To: and Cc: fields in mailing lists. 10x
Attachment:
_bin
Description:
Current thread:
- ProFTPd and reverse DNS Matthew S . Hallacy (Sep 07)
- Re: ProFTPd and reverse DNS Michael S. Fischer (Sep 07)
- Re: ProFTPd and reverse DNS Noah (Sep 08)
- Re: ProFTPd and reverse DNS Krzysztof Halasa (Sep 08)
- Re: ProFTPd and reverse DNS The Flying Hamster (Sep 08)
- Re: ProFTPd and reverse DNS Peter van Dijk (Sep 08)
- RE: ProFTPd and reverse DNS Jeroen Massar (Sep 08)
- Re: ProFTPd and reverse DNS Karsten W. Rohrbach (Sep 11)
- Re: ProFTPd and reverse DNS Michael S. Fischer (Sep 07)