Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default
On Wed, Apr 18, 2001 at 01:55:51PM -0700, Adam McKenna wrote:
> On Wed, Apr 18, 2001 at 09:35:06PM +0200, Nils Jeppe wrote:
> > On Wed, 18 Apr 2001, Adam McKenna wrote:
> > > Oh, come on now. Anyone who's serious about security is not using name-based
> > > access lists. For that matter, anyone who's serious about security is not
> > > relying on TCP wrappers for it, because it's been shown over and over again
> > > that TCP wrappers "security" can be easily defeated. See Dan Bernstein's
> > > posts to Bugtraq regarding this issue.
> > I KNOW. But not everybody who runs Debian is serious enough about
> > security. Why soften the defaults?
> That's the point. This _DOES_NOT_ increase security. Anyone who believes it
> does is suffering from delusions. All it does is make life harder on
> sysadmins, who, if they don't know this is enabled, may spend hours chasing
> down this problem.
I agree with Adam McKenna. I haven't found anything relating to this in the debian policy. And a search in "debian+policy+acces+network" returns nothing in www.debian.org.
I think I have read somewhere (in /etc/ircd/ircd.conf maybe ) that debian default is "world wide acces". IMHO /etc/hosts.deny is not doing this by far.
Unfortunately most european Isps are not willing to give away inverse Dns records for their customers. This is the case of dsl clients of Telefonica in spain, and I guess there are many others that have paid for a direct DNS and do not own a class C public network. So they cannot set up their own inverse recors because you must own the network to set up its inverse dns.
Besides there's no clear security improvement with this, so in order not to give additional stupid headaches to netadmins. And to prevent people who has a public IP, a domain and doesn't own the whole network; from having stupid acces problems.
Pedro Larroy Tovar. PiotR | http://omega.resa.es/piotr/