[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default

On Wed, Apr 18, 2001 at 03:13:38PM -0500, Stephen Langasek wrote:
> On Wed, 18 Apr 2001, Andrew Pimlott wrote:
> > It doesn't improve the audit trail, since anyone
> > who can control an IP addr -> hostname lookup could just as well
> > have returned no hostname (note: tcpd always performs the IP address
> > -> hostname -> IP address cross-check, so it won't ever log a forged
> > name).
> The two most common causes of a forward-reverse mismatch, in my experience,
> are 1) delinquent DNS administrators, and 2) delinquent "other"s who are
> trying to mislead the box's administrator into believing that the attack is
> coming from somewhere other than it really is.  If you have /any/ software 
> on your machine which logs hostnames instead of IPs, and your software
> doesn't check to make sure the forward and reverse match, it's relatively
> easy for an attacker to throw you off his trail.

Ok, granted.  It won't fool tcpd, but there is probably lots of
software it would fool.


Reply to: