ftpd log address format

classic Classic list List threaded Threaded
15 messages Options
Reply | Threaded
Open this post in threaded view
|

ftpd log address format

Martijn van Duren
Hello tech@,

I run a not note-worthy anonymous ftp server at home for friends and
family. This works perfectly with the supplied ftpd.
As of recently I noticed the amount of unfamiliar connections rising,
but using wtmp and last I found that it used reverse lookups.
For a lot of cases this isn't a problem. But there are a couple of
instances where the domain name resolves to something a little to
generic to be useful to determine it's origin and hence I'm not able to
decide if it's a legit connection or not, let alone being able to place
it in my firewall.
To fix this for myself I made this minor patch to retrieve the ip
address instead of the the reverse lookup. This appears to be the same
behavior as sshd shows.
Of course this behavior could be placed behind a diff or just kept in my
personal source-tree copy.

Index: ftpd.c
===================================================================
RCS file: /cvs/src/libexec/ftpd/ftpd.c,v
retrieving revision 1.196
diff -u -a -r1.196 ftpd.c
--- ftpd.c      4 Dec 2012 02:24:47 -0000       1.196
+++ ftpd.c      4 May 2013 05:24:44 -0000
@@ -2166,7 +2166,7 @@
  {
         char hbuf[sizeof(remotehost)];

-       if (getnameinfo(sa, sa->sa_len, hbuf, sizeof(hbuf), NULL, 0, 0)
== 0)
+       if (getnameinfo(sa, sa->sa_len, hbuf, sizeof(hbuf), NULL, 0,
NI_NUMERICHOST) == 0)
                 (void) strlcpy(remotehost, hbuf, sizeof(remotehost));
         else
                 (void) strlcpy(remotehost, "unknown", sizeof(remotehost));


Sincerely,

Martijn van  Duren

Reply | Threaded
Open this post in threaded view
|

Re: ftpd log address format

Martijn van Duren
On 05/04/13 07:26, Martijn van Duren wrote:

> Hello tech@,
>
> I run a not note-worthy anonymous ftp server at home for friends and
> family. This works perfectly with the supplied ftpd.
> As of recently I noticed the amount of unfamiliar connections rising,
> but using wtmp and last I found that it used reverse lookups.
> For a lot of cases this isn't a problem. But there are a couple of
> instances where the domain name resolves to something a little to
> generic to be useful to determine it's origin and hence I'm not able to
> decide if it's a legit connection or not, let alone being able to place
> it in my firewall.
> To fix this for myself I made this minor patch to retrieve the ip
> address instead of the the reverse lookup. This appears to be the same
> behavior as sshd shows.
> Of course this behavior could be placed behind a diff or just kept in my
> personal source-tree copy.

of course I meant to say "behind a switch" here.

>
> Index: ftpd.c
> ===================================================================
> RCS file: /cvs/src/libexec/ftpd/ftpd.c,v
> retrieving revision 1.196
> diff -u -a -r1.196 ftpd.c
> --- ftpd.c      4 Dec 2012 02:24:47 -0000       1.196
> +++ ftpd.c      4 May 2013 05:24:44 -0000
> @@ -2166,7 +2166,7 @@
>   {
>          char hbuf[sizeof(remotehost)];
>
> -       if (getnameinfo(sa, sa->sa_len, hbuf, sizeof(hbuf), NULL, 0, 0)
> == 0)
> +       if (getnameinfo(sa, sa->sa_len, hbuf, sizeof(hbuf), NULL, 0,
> NI_NUMERICHOST) == 0)
>                  (void) strlcpy(remotehost, hbuf, sizeof(remotehost));
>          else
>                  (void) strlcpy(remotehost, "unknown", sizeof(remotehost));
>
>
> Sincerely,
>
> Martijn van  Duren

Reply | Threaded
Open this post in threaded view
|

Re: ftpd log address format

Ted Unangst-6
In reply to this post by Martijn van Duren
On Sat, May 04, 2013 at 07:26, Martijn van Duren wrote:
> For a lot of cases this isn't a problem. But there are a couple of
> instances where the domain name resolves to something a little to
> generic to be useful to determine it's origin and hence I'm not able to
> decide if it's a legit connection or not, let alone being able to place
> it in my firewall.
> To fix this for myself I made this minor patch to retrieve the ip
> address instead of the the reverse lookup. This appears to be the same
> behavior as sshd shows.

I think this is wise. Reverse lookups are not really useful imo. If
someone cares, they can always do them later.

Reply | Threaded
Open this post in threaded view
|

Re: ftpd log address format

Nick Holland
On 05/04/13 01:57, Ted Unangst wrote:

> On Sat, May 04, 2013 at 07:26, Martijn van Duren wrote:
>> For a lot of cases this isn't a problem. But there are a couple of
>> instances where the domain name resolves to something a little to
>> generic to be useful to determine it's origin and hence I'm not able to
>> decide if it's a legit connection or not, let alone being able to place
>> it in my firewall.
>> To fix this for myself I made this minor patch to retrieve the ip
>> address instead of the the reverse lookup. This appears to be the same
>> behavior as sshd shows.
>
> I think this is wise. Reverse lookups are not really useful imo. If
> someone cares, they can always do them later.
>

regarding the concept, not the patch...agreed.

I have OFTEN wished I had the raw IP address in a log, I've rarely (I
want to say "never") wished I had a reverse DNS lookup.

Nick.

Reply | Threaded
Open this post in threaded view
|

Re: ftpd log address format

Stuart Henderson-6
On 2013/05/05 10:06, Nick Holland wrote:

> On 05/04/13 01:57, Ted Unangst wrote:
> > On Sat, May 04, 2013 at 07:26, Martijn van Duren wrote:
> >> For a lot of cases this isn't a problem. But there are a couple of
> >> instances where the domain name resolves to something a little to
> >> generic to be useful to determine it's origin and hence I'm not able to
> >> decide if it's a legit connection or not, let alone being able to place
> >> it in my firewall.
> >> To fix this for myself I made this minor patch to retrieve the ip
> >> address instead of the the reverse lookup. This appears to be the same
> >> behavior as sshd shows.
> >
> > I think this is wise. Reverse lookups are not really useful imo. If
> > someone cares, they can always do them later.
> >
>
> regarding the concept, not the patch...agreed.
>
> I have OFTEN wished I had the raw IP address in a log, I've rarely (I
> want to say "never") wished I had a reverse DNS lookup.
>
> Nick.
>

I don't feel too strongly about it but my preference would be to
log both. There are circumstances (e.g. dhcp with dynamic dns updates)
where it's useful to have the reverse at the time of connection.

Reply | Threaded
Open this post in threaded view
|

Re: ftpd log address format

Martijn van Duren
On 05/05/13 16:18, Stuart Henderson wrote:

> On 2013/05/05 10:06, Nick Holland wrote:
>> On 05/04/13 01:57, Ted Unangst wrote:
>>> On Sat, May 04, 2013 at 07:26, Martijn van Duren wrote:
>>>> For a lot of cases this isn't a problem. But there are a couple of
>>>> instances where the domain name resolves to something a little to
>>>> generic to be useful to determine it's origin and hence I'm not able to
>>>> decide if it's a legit connection or not, let alone being able to place
>>>> it in my firewall.
>>>> To fix this for myself I made this minor patch to retrieve the ip
>>>> address instead of the the reverse lookup. This appears to be the same
>>>> behavior as sshd shows.
>>>
>>> I think this is wise. Reverse lookups are not really useful imo. If
>>> someone cares, they can always do them later.
>>>
>>
>> regarding the concept, not the patch...agreed.
>>
>> I have OFTEN wished I had the raw IP address in a log, I've rarely (I
>> want to say "never") wished I had a reverse DNS lookup.

The hbuf buffer has more then enough room for the ip-notation with 256
bytes and it's the simplest alteration I could think of.
I'm relatively new to OBSD and C-programming. So what kind of patch
would you agree to and/or what is specifically wrong with this patch?

>>
>> Nick.
>>
>
> I don't feel too strongly about it but my preference would be to
> log both. There are circumstances (e.g. dhcp with dynamic dns updates)
> where it's useful to have the reverse at the time of connection.
>

I could be wrong, but shouldn't those addresses/hostname translations be
in the (dhcp server) logs?
Furthermore it could be possible to something like switching between
private ip's and public ip's. Since clients that come in with a private
IP usually are accompanied with a sensible hostname from the
DHCP/internal dns. Public ip addresses get there reverse name from the
provider and are quite often also NAT-ed, hence these names can't be
relied upon for proper identification of the source-address. Unless you
can tell me who e.g. static.kpn.nl was (hint, it was my own connection
and the source wasn't 213.75.8.38).
Or we could add a (-s?-i?) switch to let the admin decide if he wants to
switch to Ip-based Source notation.
Just giving my two cents. As I said before, I'll be just as happy to
keep this file patched for myself.

Reply | Threaded
Open this post in threaded view
|

Re: ftpd log address format

Ted Unangst-6
In reply to this post by Ted Unangst-6
On Sun, May 05, 2013 at 15:18, Stuart Henderson wrote:

> I don't feel too strongly about it but my preference would be to
> log both. There are circumstances (e.g. dhcp with dynamic dns updates)
> where it's useful to have the reverse at the time of connection.

Are you talking about internal or external networks? If it's your
network you should be able to figure it out, and if it's the internet,
I don't know of any ISPs that give you control over dynamic reverse
lookups.

I don't like logging both because there's a not unreasonable chance
the reverse name will be a complete lie, which will just mislead you.

Reply | Threaded
Open this post in threaded view
|

Re: ftpd log address format

Peter Hessler
On 2013 May 07 (Tue) at 14:26:07 -0400 (-0400), Ted Unangst wrote:
:On Sun, May 05, 2013 at 15:18, Stuart Henderson wrote:
:
:> I don't feel too strongly about it but my preference would be to
:> log both. There are circumstances (e.g. dhcp with dynamic dns updates)
:> where it's useful to have the reverse at the time of connection.
:

I feel somewhat strongly, that it should be IP addresses only.  Should
we log both in apache/nginx?


:Are you talking about internal or external networks? If it's your
:network you should be able to figure it out, and if it's the internet,
:I don't know of any ISPs that give you control over dynamic reverse
:lookups.
:
:I don't like logging both because there's a not unreasonable chance
:the reverse name will be a complete lie, which will just mislead you.
:

I recently saw an IP address that reversed record was 'localhost.'

--
The number of arguments is unimportant unless some of them are
correct.
                -- Ralph Hartley

Reply | Threaded
Open this post in threaded view
|

Re: ftpd log address format

Stuart Henderson-6
In reply to this post by Ted Unangst-6
On 2013/05/07 14:26, Ted Unangst wrote:
> On Sun, May 05, 2013 at 15:18, Stuart Henderson wrote:
>
> > I don't feel too strongly about it but my preference would be to
> > log both. There are circumstances (e.g. dhcp with dynamic dns updates)
> > where it's useful to have the reverse at the time of connection.
>
> Are you talking about internal or external networks? If it's your
> network you should be able to figure it out, and if it's the internet,

Either..

> I don't know of any ISPs that give you control over dynamic reverse
> lookups.

Funny - apart from mobile networks, I don't think I've ever used
an ISP that *doesn't* let me do that. (There are plenty I could use
which wouldn't let me do that too of course, but they also suck in
other ways).

> I don't like logging both because there's a not unreasonable chance
> the reverse name will be a complete lie, which will just mislead you.

Oh, it doesn't do a forward check of the name it got from reverse
lookup? Yes that's bad.

Reply | Threaded
Open this post in threaded view
|

Re: ftpd log address format

Ted Unangst-6
In reply to this post by Ted Unangst-6
On Tue, May 07, 2013 at 20:54, Stuart Henderson wrote:

>> I don't like logging both because there's a not unreasonable chance
>> the reverse name will be a complete lie, which will just mislead you.
>
> Oh, it doesn't do a forward check of the name it got from reverse
> lookup? Yes that's bad.

Well, it kind of does. It does a reverse lookup to get a hostname.
Then it does a forward lookup for that hostname and logs that IP. doh.

Forward lookup? Yes. Forward *check*? No.

Reply | Threaded
Open this post in threaded view
|

Re: ftpd log address format

Stuart Henderson-6
On 2013/05/07 16:09, Ted Unangst wrote:

> On Tue, May 07, 2013 at 20:54, Stuart Henderson wrote:
>
> >> I don't like logging both because there's a not unreasonable chance
> >> the reverse name will be a complete lie, which will just mislead you.
> >
> > Oh, it doesn't do a forward check of the name it got from reverse
> > lookup? Yes that's bad.
>
> Well, it kind of does. It does a reverse lookup to get a hostname.
> Then it does a forward lookup for that hostname and logs that IP. doh.
>
> Forward lookup? Yes. Forward *check*? No.

Wow.

*stab stab stab*

Reply | Threaded
Open this post in threaded view
|

Re: ftpd log address format

Ted Unangst-6
In reply to this post by Ted Unangst-6
On Tue, May 07, 2013 at 21:15, Stuart Henderson wrote:

> On 2013/05/07 16:09, Ted Unangst wrote:
>> On Tue, May 07, 2013 at 20:54, Stuart Henderson wrote:
>>
>> >> I don't like logging both because there's a not unreasonable chance
>> >> the reverse name will be a complete lie, which will just mislead you.
>> >
>> > Oh, it doesn't do a forward check of the name it got from reverse
>> > lookup? Yes that's bad.
>>
>> Well, it kind of does. It does a reverse lookup to get a hostname.
>> Then it does a forward lookup for that hostname and logs that IP. doh.
>>
>> Forward lookup? Yes. Forward *check*? No.
>
> Wow.
>
> *stab stab stab*

oh, no, sorry, my mistake. I entirely misread the second getnameinfo
call (thought it was reading from hbuf...). It does something sensible
and does numeric lookup on the socket address.

Still doesn't check that the reversed hostname is sensible, which is
the issue here.

Reply | Threaded
Open this post in threaded view
|

Re: ftpd log address format

Nick Holland
In reply to this post by Stuart Henderson-6
On 05/07/2013 04:15 PM, Stuart Henderson wrote:

> On 2013/05/07 16:09, Ted Unangst wrote:
>> On Tue, May 07, 2013 at 20:54, Stuart Henderson wrote:
>>
>>>> I don't like logging both because there's a not unreasonable chance
>>>> the reverse name will be a complete lie, which will just mislead you.
>>>
>>> Oh, it doesn't do a forward check of the name it got from reverse
>>> lookup? Yes that's bad.
>>
>> Well, it kind of does. It does a reverse lookup to get a hostname.
>> Then it does a forward lookup for that hostname and logs that IP. doh.
>>
>> Forward lookup? Yes. Forward *check*? No.
>
> Wow.
>
> *stab stab stab*
>

lesson: dns can lie.
maybe more accurate: reverse dns is sometimes correct.
There is no promise that forward and reverse DNS provide the same info.

Forward and reverse DNS are like the ski resort, where girls are looking
for husbands and husbands are looking for girls, but the situation is
not quite as symmetrical as you might think or hope.
(ok, that's a overly stretched analogy, but I've been wanting to use it
for a long time!)

log the IP, only the IP, nothing but the IP.
Anything you do with DNS from there is you fooling yourself, and
hopefully you understand what it means.

Nick.

Reply | Threaded
Open this post in threaded view
|

Re: ftpd log address format

Bob Beck-2
In reply to this post by Ted Unangst-6
My two cents on this is that it should be possible (or the default) to
have it logging the IP address.

Having said that ted, yes, DNS is not "reliable" in some sense - on
the other hand the reverse lookup *is* information that can be useful,
and in the case of dynamic DNS it may contain information that you do
not get after the fact. Saying that "if we put it in the log people
will rely on it when it's potentially unreliable" is crap. Anyone past
the age of puburty on the internet knows full well that reverse dns is
not necessarily reliable - OTOH sometimes it *is* useful information -
to be treated with a grain of salt.  We should not *prevent* it from
being collected because it is not useful in all situations.

Reply | Threaded
Open this post in threaded view
|

Re: ftpd log address format

Todd T. Fries-2
In reply to this post by Ted Unangst-6
Penned by Ted Unangst on 20130504  0:57.40, we have:
| On Sat, May 04, 2013 at 07:26, Martijn van Duren wrote:
| > For a lot of cases this isn't a problem. But there are a couple of
| > instances where the domain name resolves to something a little to
| > generic to be useful to determine it's origin and hence I'm not able to
| > decide if it's a legit connection or not, let alone being able to place
| > it in my firewall.
| > To fix this for myself I made this minor patch to retrieve the ip
| > address instead of the the reverse lookup. This appears to be the same
| > behavior as sshd shows.
|
| I think this is wise. Reverse lookups are not really useful imo. If
| someone cares, they can always do them later.

I always set 'UseDNS no' in my sshd_config, same argument, and if dns is
borked for any reason, it avoids needless delay getting into an afflicted
system to unbork it.

Thanks,
--
Todd Fries .. [hidden email]

 ____________________________________________
|                                            \  1.636.410.0632 (voice)
| Free Daemon Consulting, LLC                \  1.405.227.9094 (voice)
| http://FreeDaemonConsulting.com            \  1.866.792.3418 (FAX)
| PO Box 16169, Oklahoma City, OK 73113      \  sip:[hidden email]
| "..in support of free software solutions." \  sip:[hidden email]
 \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
                                                 
              37E7 D3EB 74D0 8D66 A68D  B866 0326 204E 3F42 004A
                        http://todd.fries.net/pgp.txt