# Vulnerabilities of the log analysis tools - thesis and facts?



## francis (Jan 24, 2012)

Greetings to all!

Since security/denyhosts and security/py-fail2ban are available in the FreeBSD Port Collection or as packages and are used by many peoples to help thwart ssh or ftp server attacks [1], I would like to share informations about potential problems and three 0-day denial-of-service attacks caused by remote log injection described on the _Attacking Log Analysis tools_ article by Daniel B. Cid. I think that this article can be treated as a curiosity or a very interesting discovery, but for all those who use one of these applications (including me), this article may prove to be fascinating source of information.

Attacking Log Analysis tools is a very interesting and factual written article. Contains an interesting point of view about system security and system log files, which - after all - are integral parts of daily administration. As author wrote; "_The goal of this document is to show some of the most common problems with log injections_". He suggests, that if you ever write a custom script to parse your logs, you should be aware of these issues mentioned in the article. In my opinion we can not forget, that every apps, script or whatever were created by human.  Of course when not done properly, it causing more harm than good, but... To sum up: read and rethink this subject.

[1] By the way; an interesting example of blocking unauthorised login attempts using ipf, tail(1) utility and sed(1) editor; ssh/ipf blocking


----------



## anomie (Jan 25, 2012)

Of course, nothing new in the problem of command / bad data injection. But still a good article that covers specific applications (that sysadmins may not be thinking about as vulnerable).


----------

