On Sun, Dec 16, 2012 at 12:08:28PM -0500, Bill Mills-Curran wrote:
I was looking at the output of "last" recently and found several entries like this on my home server:
userxx pts/0 c-24-91-141-172. Sun Dec 2 14:57 - 15:09 (00:11)
(userxx represents my username)
I did a reverse lookup on 172.141.92.24:
Besides the fact that the IP you are looking up doesn't match the hostname c-24-91-141-172 in forward or reverse order (you are off by one), you can't be sure of the format of the logged hostname--you are assuming you need to reverse the components of the hostname to come up with an IP address of 172.141.91.24, but how do you know it isn't really 24.91.141.172? How can you be sure there is any relation at all between the FQDN format and any IP address at all? Also, you are looking at trumcated hostnames from "last". You should always check the actual IP that was logged in wtmp with last -i, and put the hostname or IP at the end of the output lines so it doesn't get truncated with last -a: last -i -a and then do a whois lookup on that IP. Reverse DNS can't be trusted since the owner of the IP address can often set their reverse DNS to absolutely anything they want--it should never be relied upon solely for audit logging.