Re: ProFTPd and reverse DNS

["Karsten W. Rohrbach" <karsten () rohrbach de>]

Matthew S . Hallacy(poptix () techmonkeys org)@2001.09.07 15:38:27 +0000:
> Howdy,
>
>       Recently while browsing through security logs I noticed that quite a few of the hosts
> connecting to the machine did not resolve, I've checked into it, and apparently ProFTPd does
> not check forward to reverse DNS mappings, and only resolves the IP address connecting. This
> could easily lead to an attacker hiding his real hostname from logfiles, or an attacker 
> slipping through ACL's by modifying their hostname. For the time being I recommend that the
> option 'UseReverseDNS' be disabled in the configuration file until this is fixed.
>
> Unfortunately I was not able to contact anyone to discuss this, as www.proftpd.org has been
> down for the past 4-5 days that I've tried it, the version tested was 1.2.2rc2.

if you happen to run an inetd-capable ftp daemon, use tcpserver as a
frontend [http://cr.yp.to/ucspi-tcp.html] which allows you to do very
paranoid checking and also good logging (with multilog of the
daemontools package).

you might check the -p option to tcpserver, as well as the magic rules
for tcprules files (acl files) for it. together with the -p optionto
tcpserver and the lines
    =:allow
    :deny
in your tcprules file, you drop not reverse resolvable adresses. do not
do this for anon ftp servers.
rule explanations at [http://cr.yp.to/ucspi-tcp/tcprules.html]

cheers,
/k

-- 
> Yes, it is inconvenient.  Security and convenience are usually mutually
> exclusive concepts. --Erik Trulsson on freebsd-stable, Jun 2001
KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie
http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.net/
karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch () spam de
GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE  DF22 3340 4F4E 2964 BF46
Please do not remove my address from To: and Cc: fields in mailing lists. 10x

Attachment: _bin
Description: