[lacnog] Registro de puertos de origen en servidores web / Source Port Logging on Web Servers

Fernando Frediani fhfrediani en gmail.com
Sab Mar 23 20:28:36 -03 2019

Hi Fernando

Both of course.
This tutorial is intended only to web server (there are other 
applications that apply as well as email servers for example).

For CGNAT in the Access Provider it depends very much the way it is 
configured. It may be a deterministic CGNAT and by range of ports, Bulk 
Port Allocation, 464XLAT, etc, and they all generate different kind of 
logs formats that allow people to link information form both sides to 
identify whoever necessary based on the source port.

That's actually something important to highlight: I have seen cases in 
court that non-technical people had endless discussions about if both 
sides must log source port or only one of them. It is of course easier 
for us that are technical to know that without both sides logging it is 
simply impossible to make this identification, so passing it trough is 
indeed a good practice I believe.


On 23/03/2019 19:39, Fernando Gont wrote:
> On 23/3/19 13:17, Carlos M. Martinez wrote:
>> Hi,
>> On 23 Mar 2019, at 17:14, Fernando Frediani wrote:
>>> I mean social responsability in the sense of if a crime has been
>>> commited (even if it doesn't affect you) but if you have information
>>> that can help to solve that situation you are contributing to
>>> something that is in the interest of all.
>>> That's probably the main reaon some laws enforce, not forgetting the
>>> concerns of people's privancy.
>> This is key. We share common responsibilities that arise from operating
>> a huge, highly distributed system which largely depends on the goodwill
>> of those working on it.
> Maybe that's the key of the problem? :-) If the security of the system
> depends on the goodwill of all the involved parties, we have a problem.
> -- Yes, it currently does. And yes, it's kind of a miracle that it's
> "usable". :-)
>> Please log source ports. Por favor, logueen los puertos de origen.
> So... the plea is to log source ports at... web servers? CGNATs? Both?

Más información sobre la lista de distribución LACNOG