On 05/05/13 16:18, Stuart Henderson wrote:
On 2013/05/05 10:06, Nick Holland wrote:
On 05/04/13 01:57, Ted Unangst wrote:
On Sat, May 04, 2013 at 07:26, Martijn van Duren wrote:
For a lot of cases this isn't a problem. But there are a couple of
instances where the domain name resolves to something a little to
generic to be useful to determine it's origin and hence I'm not able to
decide if it's a legit connection or not, let alone being able to place
it in my firewall.
To fix this for myself I made this minor patch to retrieve the ip
address instead of the the reverse lookup. This appears to be the same
behavior as sshd shows.
I think this is wise. Reverse lookups are not really useful imo. If
someone cares, they can always do them later.
regarding the concept, not the patch...agreed.
I have OFTEN wished I had the raw IP address in a log, I've rarely (I
want to say "never") wished I had a reverse DNS lookup.
The hbuf buffer has more then enough room for the ip-notation with 256
bytes and it's the simplest alteration I could think of.
I'm relatively new to OBSD and C-programming. So what kind of patch
would you agree to and/or what is specifically wrong with this patch?
Nick.
I don't feel too strongly about it but my preference would be to
log both. There are circumstances (e.g. dhcp with dynamic dns updates)
where it's useful to have the reverse at the time of connection.
I could be wrong, but shouldn't those addresses/hostname translations be
in the (dhcp server) logs?
Furthermore it could be possible to something like switching between
private ip's and public ip's. Since clients that come in with a private
IP usually are accompanied with a sensible hostname from the
DHCP/internal dns. Public ip addresses get there reverse name from the
provider and are quite often also NAT-ed, hence these names can't be
relied upon for proper identification of the source-address. Unless you
can tell me who e.g. static.kpn.nl was (hint, it was my own connection
and the source wasn't 213.75.8.38).
Or we could add a (-s?-i?) switch to let the admin decide if he wants to
switch to Ip-based Source notation.
Just giving my two cents. As I said before, I'll be just as happy to
keep this file patched for myself.
