From owner-freebsd-security Sun Jul 22 17:25:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from Awfulhak.org (gw.Awfulhak.org [217.204.245.18]) by hub.freebsd.org (Postfix) with ESMTP id 0373337B407; Sun, 22 Jul 2001 17:25:20 -0700 (PDT) (envelope-from brian@Awfulhak.org) Received: from hak.lan.Awfulhak.org (root@hak.lan.Awfulhak.org [172.16.0.12]) by Awfulhak.org (8.11.4/8.11.4) with ESMTP id f6N0PII00884; Mon, 23 Jul 2001 01:25:18 +0100 (BST) (envelope-from brian@lan.Awfulhak.org) Received: from hak.lan.Awfulhak.org (brian@localhost [127.0.0.1]) by hak.lan.Awfulhak.org (8.11.4/8.11.4) with ESMTP id f6N0PHg12049; Mon, 23 Jul 2001 01:25:17 +0100 (BST) (envelope-from brian@hak.lan.Awfulhak.org) Message-Id: <200107230025.f6N0PHg12049@hak.lan.Awfulhak.org> X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4 To: "Jeroen Massar" Cc: "'Matt Dillon'" , "'Hajimu UMEMOTO'" , aschneid@mail.slc.edu, brian@Awfulhak.org, ras@e-gerbil.net, roam@orbitel.bg, freebsd-security@FreeBSD.ORG, freebsd-gnats-submit@FreeBSD.ORG, brian@Awfulhak.org Subject: Re: bin/22595: telnetd tricked into using arbitrary peer ip In-Reply-To: Message from "Jeroen Massar" of "Mon, 23 Jul 2001 01:58:33 +0200." <000701c1130a$393e27e0$420d640a@HELL> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 23 Jul 2001 01:25:17 +0100 From: Brian Somers Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > Even then.... IMHO one should log both hostname _AND_ IP... I don't think that's necessary. > Following situation: > > 23 June 2001 - I log into a machine from 10.1.2.3 which maps to > bla.example.com which points to 10.1.2.3 thus bla.example.com is > logged... > 24 June 2001 - The bla.example.com A is changed to 192.168.2.1, > 192.168.2.1 gets pointed back to bla.example.com... > > Now I actually did very evil things with that box on the 23rd.... So the > admin of the box wants to hunt me down and checks his/her/it's logs: > Ooe..... that evil user came from 'bla.example.com' let's find out > his/her/it's IP....aha 192.168.2.1 <-------- OOOPS... Not even the same > provider I actually came from to do all those very evil things... > > So long for your 'nice' loggin facility... (and thanks for all the > fish... :) I know... It's been there for a long time and over many many > unices but that doesn't say it's still acceptable... The owner of what's logged will know the answer -- in this case, talking to the admins of bla.example.com will result in them saying ``ah, that box had it's IP number changed''. I think the way this is done is as appropriate as it ever was. > Only storing the IP is useless too ofcourse.. Because then you never > know what the old hostname (for which you actually accepted) was... > Especially if you got /etc/hosts.allow with the old reverse in it, but > not the new one etc... Your tcp-wrapper rules are subject to the same DNS confusion as the utmp file is, but I don't think there's anything wrong with that. If you don't trust the admin of example.com, then block the whole domain :) But that's another argument^Wdiscussion.... > Greets, > Jeroen -- Brian http://www.freebsd-services.com/ Don't _EVER_ lose your sense of humour ! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message