OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Karsten W. Rohrbach (karstenrohrbach.de)
Date: Tue Sep 11 2001 - 13:13:38 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Matthew S . Hallacy(poptixtechmonkeys.org)2001.09.07 15:38:27 +0000:
    > Howdy,
    >
    > Recently while browsing through security logs I noticed that quite a few of the hosts
    > connecting to the machine did not resolve, I've checked into it, and apparently ProFTPd does
    > not check forward to reverse DNS mappings, and only resolves the IP address connecting. This
    > could easily lead to an attacker hiding his real hostname from logfiles, or an attacker
    > slipping through ACL's by modifying their hostname. For the time being I recommend that the
    > option 'UseReverseDNS' be disabled in the configuration file until this is fixed.
    >
    > Unfortunately I was not able to contact anyone to discuss this, as www.proftpd.org has been
    > down for the past 4-5 days that I've tried it, the version tested was 1.2.2rc2.

    if you happen to run an inetd-capable ftp daemon, use tcpserver as a
    frontend [http://cr.yp.to/ucspi-tcp.html] which allows you to do very
    paranoid checking and also good logging (with multilog of the
    daemontools package).

    you might check the -p option to tcpserver, as well as the magic rules
    for tcprules files (acl files) for it. together with the -p optionto
    tcpserver and the lines
        =:allow
        :deny
    in your tcprules file, you drop not reverse resolvable adresses. do not
    do this for anon ftp servers.
    rule explanations at [http://cr.yp.to/ucspi-tcp/tcprules.html]

    cheers,
    /k 

    -- 
> Yes, it is inconvenient.  Security and convenience are usually mutually
> exclusive concepts. --Erik Trulsson on freebsd-stable, Jun 2001
KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie
http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.net/
karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catchspam.de
GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE  DF22 3340 4F4E 2964 BF46
Please do not remove my address from To: and Cc: fields in mailing lists. 10x

    -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org

    iD8DBQE7nlRSM0BPTilkv0YRAhVmAJ0b1p7TRvNCzLMhJnXva+74L5SkuACfatgZ gRjXaTqaTfXLCT3AEaJPrTw= =dcTL -----END PGP SIGNATURE-----