Re: ALL: PARANOID from /etc/hosts.deny ...
On Thu, 19 Apr 2001, Igor Mozetic wrote:
>While /etc/hosts.deny is easy (I always use ALL: ALL), the real
>problem is /etc/hosts.allow. The issue is that there is an
>increasing number of services not run from inetd for which it
>is not clear 1)if they are wrapped, 2)what daemon name to use?
>Some examples:
>- netbios-ssn, netbios-ns service names, but one must use the
> binary names smbd, nmbd
UDP/IPX--SMB predates windows' stealing of the BSD TCP stack...
>- rpc.mountd binary, but one must use mountd daemon name
>- rsync, apparently cannot be wrapped even when run from inetd
>- ntpd, apparently not wrapped and without own access control
> (but there was a recent remote exploit)
UDP
>- printer, apparently not wrapped but with own access control
UDP
>- sendmail, apparently wrapped, the only package I noticed
> to add itself to /etc/hosts.{deny,allow}
NNTP, hacked to TCP.
>Since tcp-wrappers are one important defense line it would be
^^^^
Looks like it IS centrally available
>very helpful to admins if this info is centrally available
>(which is probably undoable), or at least that individual packages
>are documented in README.Debian (like sendmail).
>
>-Igor Mozetic
>
>
>
--
Sacred cows make the best burgers
Who is John Galt? galt@inconnu.isu.edu, that's who!!!
Reply to: