Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default

To: debian-devel@lists.debian.org
Subject: Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default
From: andrew@pimlott.ne.mediaone.net (Andrew Pimlott)
Date: Wed, 18 Apr 2001 17:25:39 -0400
Message-id: <[🔎] 20010418172539.F13362@pimlott.ne.mediaone.net>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] tslhezmq663.fsf@sweet-transvestite.mit.edu>; from hartmans@mit.edu on Wed, Apr 18, 2001 at 04:55:32PM -0400
References: <[🔎] 20010418171100.B8620@omega.resa.es> <[🔎] 20010418172549.A17770@lin-gen.com> <[🔎] 87g0f68blb.fsf@wesley.springies.com> <[🔎] 20010418173936.E28924@cistron.nl> <[🔎] tslhezmq663.fsf@sweet-transvestite.mit.edu>

On Wed, Apr 18, 2001 at 04:55:32PM -0400, Sam Hartman wrote:
> >>>>> "Wichert" == Wichert Akkerman <wichert@cistron.nl> writes:
> 
>     Wichert> Previously Alan Shutko wrote:
>     >> What security does this give you, seriously?
> 
>     Wichert> Better audit trail.
> 
> Assuming again that DNS is not spoofed.

To be clear: the attacker has to spoof the hostname -> IP address
lookup for a domain that does not belong to him.  Possible, but
usually not trivial.

Wichert is right that, if you have existing software that does naive
IP address -> hostname lookups, then PARANOID can give you more
accurate audits.  But note that this may be vulnerable as DJB
described:

    1. attacker connects
    2. libwrap does IP addr -> hostname lookup
    3. attacker returns hostname with a low TTL
    4. libwrap does hostname -> IP addr lookup
    5. attacker waits for > TTL, then replies with the right IP addr
    6. stupid legacy software does IP addr -> hostname lookup
    7. attacker returns bogus hostname, making the logs of stupid
       legacy software useless

> Logging both the IP and
> DNS will get you just as good of an audit trail without  screwing
> your users.

Existing software ...

Andrew

Reply to:

Follow-Ups:
- Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default
  - From: andrew@pimlott.ne.mediaone.net (Andrew Pimlott)

References:
- ALL: PARANOID from /etc/hosts.deny Should be Commented by default
  - From: PiotR <piotr@omega.resa.es>
- Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default
  - From: Robert van der Meulen <rvdm@cistron.nl>
- Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default
  - From: Alan Shutko <ats@acm.org>
- Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default
  - From: Wichert Akkerman <wichert@cistron.nl>
- Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default
  - From: Sam Hartman <hartmans@mit.edu>

Prev by Date: Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default
Next by Date: Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default
Previous by thread: Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default
Next by thread: Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default
Index(es):
- Date
- Thread