[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default

On Wed, Apr 18, 2001 at 11:22:18PM +0200, Nils Jeppe wrote:
> On Wed, 18 Apr 2001, Adam McKenna wrote:
> 
> > That's the point.  This _DOES_NOT_ increase security.  Anyone who believes it
> > does is suffering from delusions.  All it does is make life harder on
> > sysadmins, who, if they don't know this is enabled, may spend hours chasing
> > down this problem.
> 
> And I say it does indeed increase security because there ARE people who
> will use DNS lookup for access control, especially new/inexperienced
> admins or those who want a quick and dirty solution. I have seen one
> attempt where spoofed reverse lookup was used in an attempt to gain
> access, and where one attempt exists, many more actually happen.

It provides a *sliver* more security for those people who are relying on DNS 
(or more to the point, BIND), for security, which is insecure in the first 
place.  We shold be discouraging this behavior.  I'd like to see the default
be changed to the following --

hosts.deny

ALL:ALL

hosts.allow

ALL: 127.0.0.1
ALL: (local network)

And a note added to hosts.deny and hosts.allow telling people to use IP
addresses instead of hostnames in these files.  THAT would be a useful
security measure, not this paranoid cruft.

It would be simple to even ask during installation "do you want all access to
this host to be limited to:

[ ] local host
[ ] local network
etc.

--Adam

-- 
Adam McKenna  <adam@debian.org>  <adam@flounder.net>
Reply to: