[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default

>>>>> "Robert" == Robert van der Meulen <rvdm@cistron.nl> writes:

    Robert> Hi, Quoting PiotR (piotr@omega.resa.es):
    >> Having ALL: PARANOID in /etc/hosts.deny only causes problems
    >> and doesn't provide any special security. Its very annoing when
    >> you can't access some server because this. Or worse, the
    >> clients doesn't accept the server stuff.
    Robert> You're right. it doesn't provide special security.  It
    Robert> providers very normal security; reasonable certainty that
    Robert> hosts connecting to your services are 'sane' in the sense
    Robert> that they have both a valid DNS entry, and a valid reverse
    Robert> DNS entry to match.

It only provides this if no one is spoofing.  So, it only secures you
against misconfigured sites (often legitimate users who have sucky
ISPs) and attackers who don't know how to correctly spoof DNS.

Especially for protocols like ssh which have strong authentication and
don't care about the DNS security for proper operation, this line adds
no security and simply annoyes authorized users.

If you believe it is useful, please provide specific examples that
show how it protects common system configurations against real
attacks.
Reply to: