Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default
>>>>> "Andrew" == Andrew Pimlott <andrew@pimlott.ne.mediaone.net> writes:
Andrew> I think "compelling" is a little strong. The right
Andrew> information gets logged, but some programs misanalyze it.
Andrew> This is not much different from the (no doubt common) case
Andrew> where an IP address is logged to a log file, and the admin
Andrew> runs "nslookup 1.2.3.4" to trace it.
I think some people are assuming that utmp, wtmp *only* store the IP
address and last, who does a reverse DNS lookup to find who owns it.
Does NOT seem to be the case:
snoopy:~# strings /var/log/wtmp | grep snoopy.chocbit
snoopy.chocbit.org.au
snoopy:~# last | grep 09:26
bam pts/6 snoopy.chocbit.o Fri Apr 20 09:26 - 09:27 (00:01)
snoopy:~# last -i | grep 09:26
bam pts/6 192.168.87.134 Fri Apr 20 09:26 - 09:27 (00:01)
snoopy:~# host 192.168.87.134
Name: dewey.chocbit.org.au
Address: 192.168.87.134
So it seems to store both the IP address and the hostname.
What on earth is going on here?
snoopy:~# last | grep 18:21
bam :0 console Fri Apr 20 18:21 still logged in
snoopy:~# last -i | grep 18:21
bam :0 224.252.255.191 Fri Apr 20 18:21 still logged in
telnetd from heimdal-servers seems rather broken, too.
snoopy:~# last | grep 13:02
bmay ttyp0 202.12.87.129 Thu Apr 19 13:02 - 13:03 (00:00)
snoopy:~# last -i | grep 13:02
bmay ttyp0 0.0.0.0 Thu Apr 19 13:02 - 13:03 (00:00)
where it seems to be recording the IP address in the wrong spot.
--
Brian May <bam@debian.org>
Reply to: