[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default

On Wed, Apr 18, 2001 at 04:55:32PM -0400, Sam Hartman wrote:
> >>>>> "Wichert" == Wichert Akkerman <wichert@cistron.nl> writes:
>     Wichert> Previously Alan Shutko wrote:
>     >> What security does this give you, seriously?
>     Wichert> Better audit trail.
> Assuming again that DNS is not spoofed.

To be clear: the attacker has to spoof the hostname -> IP address
lookup for a domain that does not belong to him.  Possible, but
usually not trivial.

Wichert is right that, if you have existing software that does naive
IP address -> hostname lookups, then PARANOID can give you more
accurate audits.  But note that this may be vulnerable as DJB

    1. attacker connects
    2. libwrap does IP addr -> hostname lookup
    3. attacker returns hostname with a low TTL
    4. libwrap does hostname -> IP addr lookup
    5. attacker waits for > TTL, then replies with the right IP addr
    6. stupid legacy software does IP addr -> hostname lookup
    7. attacker returns bogus hostname, making the logs of stupid
       legacy software useless

> Logging both the IP and
> DNS will get you just as good of an audit trail without  screwing
> your users.

Existing software ...


Reply to: