OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: ftpd log address format

From: Martijn van Duren (martijn987gmail.com)
Date: Tue May 07 2013 - 13:02:05 CDT

On 05/05/13 16:18, Stuart Henderson wrote:
> On 2013/05/05 10:06, Nick Holland wrote:
>> On 05/04/13 01:57, Ted Unangst wrote:
>>> On Sat, May 04, 2013 at 07:26, Martijn van Duren wrote:
>>>> For a lot of cases this isn't a problem. But there are a couple of
>>>> instances where the domain name resolves to something a little to
>>>> generic to be useful to determine it's origin and hence I'm not able to
>>>> decide if it's a legit connection or not, let alone being able to place
>>>> it in my firewall.
>>>> To fix this for myself I made this minor patch to retrieve the ip
>>>> address instead of the the reverse lookup. This appears to be the same
>>>> behavior as sshd shows.
>>>
>>> I think this is wise. Reverse lookups are not really useful imo. If
>>> someone cares, they can always do them later.
>>>
>>
>> regarding the concept, not the patch...agreed.
>>
>> I have OFTEN wished I had the raw IP address in a log, I've rarely (I
>> want to say "never") wished I had a reverse DNS lookup.

The hbuf buffer has more then enough room for the ip-notation with 256
bytes and it's the simplest alteration I could think of.
I'm relatively new to OBSD and C-programming. So what kind of patch
would you agree to and/or what is specifically wrong with this patch?

>>
>> Nick.
>>
>
> I don't feel too strongly about it but my preference would be to
> log both. There are circumstances (e.g. dhcp with dynamic dns updates)
> where it's useful to have the reverse at the time of connection.
>

I could be wrong, but shouldn't those addresses/hostname translations be
in the (dhcp server) logs?
Furthermore it could be possible to something like switching between
private ip's and public ip's. Since clients that come in with a private
IP usually are accompanied with a sensible hostname from the
DHCP/internal dns. Public ip addresses get there reverse name from the
provider and are quite often also NAT-ed, hence these names can't be
relied upon for proper identification of the source-address. Unless you
can tell me who e.g. static.kpn.nl was (hint, it was my own connection
and the source wasn't 213.75.8.38).
Or we could add a (-s?-i?) switch to let the admin decide if he wants to
switch to Ip-based Source notation.
Just giving my two cents. As I said before, I'll be just as happy to
keep this file patched for myself.