Bugtraq mailing list archives
Re: ProFTPd and reverse DNS
From: Peter van Dijk <peter () dataloss nl>
Date: Sat, 8 Sep 2001 12:35:25 +0200
On Fri, Sep 07, 2001 at 03:38:27PM -0600, Matthew S . Hallacy wrote:
Howdy,
Recently while browsing through security logs I noticed that quite a few of the hosts
connecting to the machine did not resolve, I've checked into it, and apparently ProFTPd does
not check forward to reverse DNS mappings, and only resolves the IP address connecting. This
could easily lead to an attacker hiding his real hostname from logfiles, or an attacker
slipping through ACL's by modifying their hostname. For the time being I recommend that the
option 'UseReverseDNS' be disabled in the configuration file until this is fixed.
Any network server should log the IP of all incoming connections. Also resolving the reverse name for that IP can be informative, but is never as relevant as the IP. Even if you do check forward and reverse mappings, DNS is easier to spoof then a real TCP session. Also, an attacker might arrange for a reverse and forward mapping with a very low TTL, and after the attack make sure those point somewhere else. The mantra is simple: log IPs. Always. Greetz, Peter -- Monopoly http://www.dataloss.nl/monopoly.html
Current thread:
- ProFTPd and reverse DNS Matthew S . Hallacy (Sep 07)
- Re: ProFTPd and reverse DNS Michael S. Fischer (Sep 07)
- Re: ProFTPd and reverse DNS Noah (Sep 08)
- Re: ProFTPd and reverse DNS Krzysztof Halasa (Sep 08)
- Re: ProFTPd and reverse DNS The Flying Hamster (Sep 08)
- Re: ProFTPd and reverse DNS Peter van Dijk (Sep 08)
- RE: ProFTPd and reverse DNS Jeroen Massar (Sep 08)
- Re: ProFTPd and reverse DNS Karsten W. Rohrbach (Sep 11)
- Re: ProFTPd and reverse DNS Michael S. Fischer (Sep 07)