grsecurity forums

[aldem]

There is a slight problem with source IP identification when using terminal multiplexors like screen.

Say, I login from IP 1.2.3.4, start screen, start some processes, then detach, then... login from another IP (4.3.2.1), attach, and try to do something nasty (which would trigger a log or so)... and... The old (original) IP will be logged - "grsec: From 1.2.3.4:..."...

This is not a mystery - and I doubt that something can be done about this (unless all apps which may exec() will be pacthed) - but anyway, the problem exists... So, mainly, this post is merely to inform about possible "misinformation" in log messages

[szpak]

I saw that topic even months ago without any reply... only about 200 views of it. I did'nt check it, because of no time but I've got a little idea.

Say, I login from IP 1.2.3.4, start screen, start some processes, then detach, then... login from another IP (4.3.2.1), attach, and try to do something nasty (which would trigger a log or so)... and... The old (original) IP will be logged - "grsec: From 1.2.3.4:..."...

Let's say that is true... I think it is.
So if an process IP can be changed at runtime when owning connection changes. Let's log connection changes to syslog and change process IP on fly. Then we have full process history.

Other question is, that it can be used to attack against syslog, or abuse logs with tons of: GRSEC Ip of process X was changed from A to B?

[Loggy]

Further than this, if you access the machine via a gateway you only get the gateway IP address anyway. The grsec logs show this.

This means the the IP restrictions are rather weak since in most cases connection will at least be via an external firewall which acts as a router. So in this circumstance, how do you know whether you are re-connecting from a different external IP number?

Is there a way round this? It's a Unix thing rather than grsec.