[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default

On Wed, Apr 18, 2001 at 05:49:36PM +0200, Nils Jeppe wrote:
> On Wed, 18 Apr 2001, Alan Shutko wrote:
> > What security does this give you, seriously?  I can't see that it
> > gives you any security at all, but it does block clients from (say)
> > people on company networks that don't do reverse DNS for internal
> > machines.
> They should hire a less crappy network admin, then, and set up reverse
> DNS. (Or use a better ISP.)
> > It only gives you security if you're blocking services based on
> > hostname, since otherwise someone not authoritative for your domain
> > could set up reverse DNS matching that host name.  But if you aren't
> > doing that (and you shouldn't), it gives you nothing.
> It ensures that machines are who they claim they are, which is already
> something. Plus, how many people set up their machines to include IP based
> accesslists? So the paranoia thingie is better than nothing, and combined
> with name based accesslists, it's a necessity.

Oh, come on now.  Anyone who's serious about security is not using name-based
access lists.  For that matter, anyone who's serious about security is not
relying on TCP wrappers for it, because it's been shown over and over again
that TCP wrappers "security" can be easily defeated.  See Dan Bernstein's
posts to Bugtraq regarding this issue.


Adam McKenna  <adam@debian.org>  <adam@flounder.net>

Reply to: