Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default
On Wed, Apr 18, 2001 at 02:58:33PM -0700, Adam McKenna wrote:
> On Wed, Apr 18, 2001 at 11:22:18PM +0200, Nils Jeppe wrote:
> > On Wed, 18 Apr 2001, Adam McKenna wrote:
> >
> > > That's the point. This _DOES_NOT_ increase security. Anyone who believes it
> > > does is suffering from delusions. All it does is make life harder on
> > > sysadmins, who, if they don't know this is enabled, may spend hours chasing
> > > down this problem.
> >
> > And I say it does indeed increase security because there ARE people who
> > will use DNS lookup for access control, especially new/inexperienced
> > admins or those who want a quick and dirty solution. I have seen one
> > attempt where spoofed reverse lookup was used in an attempt to gain
> > access, and where one attempt exists, many more actually happen.
>
> It provides a *sliver* more security for those people who are relying on DNS
> (or more to the point, BIND), for security, which is insecure in the first
> place. We shold be discouraging this behavior. I'd like to see the default
> be changed to the following --
>
> hosts.deny
>
> ALL:ALL
>
> hosts.allow
>
> ALL: 127.0.0.1
> ALL: (local network)
I see another guru missing contact with reality here.
Let's all compile the kernel by hand! rm -f /usr/src/linux/MAKEFILE
--
Pedro Larroy Tovar. PiotR | http://omega.resa.es/piotr/
piotr@omega.resa.es
Reply to: