[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default

On Wed, Apr 18, 2001 at 05:25:49PM +0200, Robert van der Meulen wrote:
> Quoting PiotR (piotr@omega.resa.es):
> > Having ALL: PARANOID in /etc/hosts.deny only causes problems and doesn't 
> > provide any special security. Its very annoing when you can't access some 
> > server because this. Or worse, the clients doesn't accept the server stuff.
> You're right. it doesn't provide special security.
> It providers very normal security; reasonable certainty that hosts
> connecting to your services are 'sane' in the sense that they have both a
> valid DNS entry, and a valid reverse DNS entry to match. 

The default Debian security model is basically that anyone with the
right password or private key gets in, regardless of the "sanity" of
the client host.  Adding this one check is arbitrary.  It still
allows IP addresses that don't reverse resolve.  It still allows
hosts that are insane (or evil) but have competant DNS
administrators.  It doesn't improve the audit trail, since anyone
who can control an IP addr -> hostname lookup could just as well
have returned no hostname (note: tcpd always performs the IP address
-> hostname -> IP address cross-check, so it won't ever log a forged
name).  It's probably not even implemented properly (see
and the resulting thread; it's old, but I haven't heard any update).

All it prevents is the hapless guy stuck on a rotton network from
accessing his machine.  This really happens to many people, and it
often takes considerable research to understand (since most people
don't expect the hostname to be used for security in this day).  I
want to fix the net too, but this isn't the place.

PARANOID is there for people who want to do DNS hostname based
authentication and have it be slightly less broken.  That's it.  Can
anyone else document a real case in which denying based on PARANOID


Reply to: