[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default

On Wed, 18 Apr 2001, Andrew Pimlott wrote:

> On Wed, Apr 18, 2001 at 05:25:49PM +0200, Robert van der Meulen wrote:
> > Quoting PiotR (piotr@omega.resa.es):
> > > Having ALL: PARANOID in /etc/hosts.deny only causes problems and doesn't 
> > > provide any special security. Its very annoing when you can't access some 
> > > server because this. Or worse, the clients doesn't accept the server stuff.
> > You're right. it doesn't provide special security.
> > It providers very normal security; reasonable certainty that hosts
> > connecting to your services are 'sane' in the sense that they have both a
> > valid DNS entry, and a valid reverse DNS entry to match. 

> The default Debian security model is basically that anyone with the
> right password or private key gets in, regardless of the "sanity" of
> the client host.  Adding this one check is arbitrary.  It still
> allows IP addresses that don't reverse resolve.  It still allows
> hosts that are insane (or evil) but have competant DNS
> administrators.  It doesn't improve the audit trail, since anyone
> who can control an IP addr -> hostname lookup could just as well
> have returned no hostname (note: tcpd always performs the IP address
> -> hostname -> IP address cross-check, so it won't ever log a forged
> name).

The two most common causes of a forward-reverse mismatch, in my experience,
are 1) delinquent DNS administrators, and 2) delinquent "other"s who are
trying to mislead the box's administrator into believing that the attack is
coming from somewhere other than it really is.  If you have /any/ software 
on your machine which logs hostnames instead of IPs, and your software
doesn't check to make sure the forward and reverse match, it's relatively
easy for an attacker to throw you off his trail.  ALL: PARANOID *does*
improve the audit trail, because it prevents an attacker from placing
misleading information in your audit logs.  Yes, if someone has control over
their own DNS, they can omit reverse nameservice or provide a reverse that
has a matching forward; but if they do that, they're no longer hiding their

Steve Langasek
postmodern programmer

Reply to: