Change Your Default syslog Options to Disable DNS Lookups

Disclaimer: Nevermind. Turns out that this only disables lookups on remote syslog entries (from another syslog host). Still looking for a solution on this one. Feel free to read on if you wish.

So this weekend, someone (as happens quite frequently) attempted to gain access to my server via the FTP daemon. No big surprise there. What was interesting about it was that there was one attempt from an rhost named "oa". Not oa.1337hacker.com, or even an IP, just…. oa. As expected an nslookup of "oa" yielded nothing.

So I ended up turning off reverse lookups on syslog. I’d suggest you do the same. You can’t really trust reverse lookups. What’s to prevent someone who has control over their PTR record to create any bogus reverse lookup, even google.com or yourdomain.com and attempt the same thing? You have no means at that point to actually identify the attacker positively by IP.

To turn off reverse lookups for syslog on FC6, just add -x to this line in /etc/sysconfig/syslog:

SYSLOGD_OPTIONS="-x … "

See here for my bug report on Redhat’s Bugzilla. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=227357