[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default

>>>>> "Daniel" == Daniel Stone <daniel@kabuki.openfridge.net> writes:

    Daniel> On Thu, Apr 19, 2001 at 11:49:30PM +1000, Hamish Moffatt
    Daniel> wrote:
    >> Don't you think standards are important? Properly configured
    >> DNS has both forward-lookup A records and reverse-lookup PTR
    >> records.  We shouldn't encourage anyone to compromise on that,
    >> because it is not difficult to configure.

    Daniel> Well, 203.36.158.121 doesn't reverse resolve to anything
    Daniel> because Telstra are absolutely bloody useless, and can't
    Daniel> delegate the chunk of 203.36.158.* through to us
    Daniel> ... *sigh*. No PTR is alright, because of valid reasons
    Daniel> like this, and the fact that you can do WHOISes on the
    Daniel> IPs. I say this because you can WHOIS an IP, but you can't
    Daniel> exactly WHOIS scriptkiddie.fuckyou.microsoft.com.

According to Craig, You shouldn't have any problems.

It is only if 203.36.158.121 reversed resolved into, say,
"snoopy.apana.org.au" you would have problems.

So lets try something:

snoopy:~# host dewey
dewey.chocbit.org.au	A	192.168.87.134
snoopy:~# host 192.168.87.134
Name: snoopy.chocbit.org.au
Address: 192.168.87.134

snoopy:~# host snoopy
snoopy.chocbit.org.au	A	192.168.87.129
snoopy:~# host 192.168.87.129
Name: snoopy.chocbit.org.au
Address: 192.168.87.129

so the resolve entry points to snoopy, which is wrong.

with paranoid:

Apr 20 09:20:01 snoopy telnetd[31937]: warning: /etc/hosts.allow, line 9: host name/address mismatch: 192.168.87.134 != snoopy.chocbit.org.au
Apr 20 09:20:01 snoopy telnetd[31937]: refused connect from 192.168.87.134

without paranoid:

Apr 20 09:21:13 snoopy telnetd[31957]: connect from 192.168.87.134

no host name was logged. strange. 

with correct address:

Apr 20 09:22:35 snoopy telnetd[31969]: connect from 192.168.87.134
Apr 20 09:22:43 snoopy telnetd[31972]: connect from 192.168.87.134

However, some things are wrong:

[501] [snoopy:bam] ~ >who  
[...]
bam      pts/6    Apr 20 09:26 (snoopy.chocbit.org.au)

[502] [snoopy:bam] ~ >last
bam      pts/6        snoopy.chocbit.o Fri Apr 20 09:26   still logged in   
[...]

(I can't test this with telnet, as the heimdal-clients telnet uses the
IP address for everything).
 
However PARANOID does not protect everything, eg. apache logs the
wrong address:

snoopy.chocbit.org.au - - [20/Apr/2001:09:27:39 +1000] "GET / HTTP/1.0" 200 667
snoopy.chocbit.org.au - - [20/Apr/2001:09:28:37 +1000] "GET / HTTP/1.0" 200 667
snoopy.chocbit.org.au - - [20/Apr/2001:09:28:39 +1000] "GET / HTTP/1.0" 200 667
snoopy.chocbit.org.au - - [20/Apr/2001:09:28:40 +1000] "GET / HTTP/1.0" 200 667
-- 
Brian May <bam@debian.org>
Reply to: