NetBSD Problem Report #40339

From www@NetBSD.org  Wed Jan  7 18:13:09 2009
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
	by narn.NetBSD.org (Postfix) with ESMTP id F011B63B8C6
	for <gnats-bugs@gnats.netbsd.org>; Wed,  7 Jan 2009 18:13:08 +0000 (UTC)
Message-Id: <20090107181308.AF7DD63B8B6@narn.NetBSD.org>
Date: Wed,  7 Jan 2009 18:13:08 +0000 (UTC)
From: eravin@panix.com
Reply-To: eravin@panix.com
To: gnats-bugs@NetBSD.org
Subject: ftpd does not log IP address of remote client
X-Send-Pr-Version: www-1.0

>Number:         40339
>Category:       bin
>Synopsis:       ftpd does not log IP address of remote client
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    bin-bug-people
>State:          closed
>Class:          change-request
>Submitter-Id:   net
>Arrival-Date:   Wed Jan 07 18:15:00 +0000 2009
>Closed-Date:    Mon Dec 14 02:15:29 +0000 2009
>Last-Modified:  Mon Dec 14 02:15:29 +0000 2009
>Originator:     Ed Ravin
>Release:        5.0
>Organization:
PANIX Public Access Networks Corp
>Environment:
NetBSD panix5.panix.com 5.0_BETA NetBSD 5.0_BETA (PANIX-XEN3U-USER-pae) #1: Thu Nov 13 17:26:16 EST 2008  root@juggler.panix.com:/misc1/obj/misc2/devel/netbsd/5-beta/src/sys/arch/i386/compile/PANIX-XEN3U-USER-pae i386

>Description:
ftpd logins and password failures are logged with the reverse lookup of the IP address of the client, for example:

ftpd[10377]: FTP LOGIN FROM pool-72-89-248-152.nycmny.fios.verizon.net as randomuser (class: real, type: REAL)

ftpd[21661]: FTP LOGIN FAILED FROM cpc3-bele3-0-0-cust879.belf.cable.ntl.com

For security and audit purposes, the IP address of the remote client should be included.  For example, an attacker might change their reverse DNS after the attack, someone reviewing the logs a day later (or even an hour later) might not be able to discern the correct IP address of the remote client.

Also, users of products that automatically filter out attacks (like fail2ban) prefer using the IP address to reliably block the attacker by adding an ipfilter against them.
>How-To-Repeat:

>Fix:

>Release-Note:

>Audit-Trail:
From: Christos Zoulas <christos@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/40339 CVS commit: src/libexec/ftpd
Date: Thu,  8 Jan 2009 18:47:49 +0000 (UTC)

 Module Name:	src
 Committed By:	christos
 Date:		Thu Jan  8 18:47:49 UTC 2009

 Modified Files:
 	src/libexec/ftpd: extern.h ftpd.c

 Log Message:
 PR/40339: Ed Ravin: make ftpd log both the hostname and numeric address.


 To generate a diff of this commit:
 cvs rdiff -r1.58 -r1.59 src/libexec/ftpd/extern.h
 cvs rdiff -r1.190 -r1.191 src/libexec/ftpd/ftpd.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

State-Changed-From-To: open->closed
State-Changed-By: snj@NetBSD.org
State-Changed-When: Mon, 14 Dec 2009 02:15:29 +0000
State-Changed-Why:
christos fixed this in January.


>Unformatted:
NetBSD Home
NetBSD PR Database Search
(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.