Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default
>>>>> "Andrew" == Andrew Pimlott <email@example.com> writes:
Andrew> I think "compelling" is a little strong. The right
Andrew> information gets logged, but some programs misanalyze it.
Andrew> This is not much different from the (no doubt common) case
Andrew> where an IP address is logged to a log file, and the admin
Andrew> runs "nslookup 18.104.22.168" to trace it.
I think some people are assuming that utmp, wtmp *only* store the IP
address and last, who does a reverse DNS lookup to find who owns it.
Does NOT seem to be the case:
snoopy:~# strings /var/log/wtmp | grep snoopy.chocbit
snoopy:~# last | grep 09:26
bam pts/6 snoopy.chocbit.o Fri Apr 20 09:26 - 09:27 (00:01)
snoopy:~# last -i | grep 09:26
bam pts/6 192.168.87.134 Fri Apr 20 09:26 - 09:27 (00:01)
snoopy:~# host 192.168.87.134
So it seems to store both the IP address and the hostname.
What on earth is going on here?
snoopy:~# last | grep 18:21
bam :0 console Fri Apr 20 18:21 still logged in
snoopy:~# last -i | grep 18:21
bam :0 22.214.171.124 Fri Apr 20 18:21 still logged in
telnetd from heimdal-servers seems rather broken, too.
snoopy:~# last | grep 13:02
bmay ttyp0 126.96.36.199 Thu Apr 19 13:02 - 13:03 (00:00)
snoopy:~# last -i | grep 13:02
bmay ttyp0 0.0.0.0 Thu Apr 19 13:02 - 13:03 (00:00)
where it seems to be recording the IP address in the wrong spot.
Brian May <firstname.lastname@example.org>