Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default
On Wed, Apr 18, 2001 at 04:55:32PM -0400, Sam Hartman wrote:
> >>>>> "Wichert" == Wichert Akkerman <firstname.lastname@example.org> writes:
> Wichert> Previously Alan Shutko wrote:
> >> What security does this give you, seriously?
> Wichert> Better audit trail.
> Assuming again that DNS is not spoofed.
To be clear: the attacker has to spoof the hostname -> IP address
lookup for a domain that does not belong to him. Possible, but
usually not trivial.
Wichert is right that, if you have existing software that does naive
IP address -> hostname lookups, then PARANOID can give you more
accurate audits. But note that this may be vulnerable as DJB
1. attacker connects
2. libwrap does IP addr -> hostname lookup
3. attacker returns hostname with a low TTL
4. libwrap does hostname -> IP addr lookup
5. attacker waits for > TTL, then replies with the right IP addr
6. stupid legacy software does IP addr -> hostname lookup
7. attacker returns bogus hostname, making the logs of stupid
legacy software useless
> Logging both the IP and
> DNS will get you just as good of an audit trail without screwing
> your users.
Existing software ...