[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default

On Wed, 18 Apr 2001, Adam McKenna wrote:

> That's the point.  This _DOES_NOT_ increase security.  Anyone who believes it
> does is suffering from delusions.  All it does is make life harder on
> sysadmins, who, if they don't know this is enabled, may spend hours chasing
> down this problem.

And I say it does indeed increase security because there ARE people who
will use DNS lookup for access control, especially new/inexperienced
admins or those who want a quick and dirty solution. I have seen one
attempt where spoofed reverse lookup was used in an attempt to gain
access, and where one attempt exists, many more actually happen.

If you are so concerned about the line making life difficult, maybe you
should instead just put a better comment in /etc/hosts.deny than:

# The PARANOID wildcard matches any host whose name does not match its
# address.

Put something there, like "The line PARANOID: ALL will reject connection
attempts for all services from all hosts whose reverse DNS mapping does
not match. See hosts_access(5) for more details."

Something to that effect, I am probably not the best documentation writer.

If you change the default, change it to ALL: ALL, or whatever. Tighten
control, don't loosen it.

 "But since you asked: I am like a hunter of peace, one who chases the
  elusive mayfly of love. - Well, something like that." -- Trigun
  Echelon Bait v2.0: Biological assassination of terrorism in trade center
  anthrax nuclear plutonium weapon poison president islam bush.

Reply to: