Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default
On Wed, Apr 18, 2001 at 02:58:33PM -0700, Adam McKenna wrote:
> On Wed, Apr 18, 2001 at 11:22:18PM +0200, Nils Jeppe wrote:
> > On Wed, 18 Apr 2001, Adam McKenna wrote:
> >
> > > That's the point. This _DOES_NOT_ increase security. Anyone who believes it
> > > does is suffering from delusions. All it does is make life harder on
> > > sysadmins, who, if they don't know this is enabled, may spend hours chasing
> > > down this problem.
> >
> > And I say it does indeed increase security because there ARE people who
> > will use DNS lookup for access control, especially new/inexperienced
> > admins or those who want a quick and dirty solution. I have seen one
> > attempt where spoofed reverse lookup was used in an attempt to gain
> > access, and where one attempt exists, many more actually happen.
>
> It provides a *sliver* more security for those people who are relying on DNS
> (or more to the point, BIND), for security, which is insecure in the first
> place. We shold be discouraging this behavior. I'd like to see the default
> be changed to the following --
>
Providing a sliver more security, and it should be removed? Why? What does it
hurt to provide that extra security?
I suggest (replaces ALL: PARANOID in hosts.deny):
---start
# The following line disables connections to this machine for services that use
# the inetd wrappers.
ALL: ALL
# The following line does the same but only protects this server from machines
# that do not have correctly resolving DNS entries.
ALL: PARANOID
---end
Is that satisfactory to everyone?
The arguments I am reading for removing PARANOID come from individuals who
seem to believe that perfect security is the only security worth implementing.
Take the security as far as you can on the initial install and don't require the
user to learn about the services to use their computer. Only require them
to learn about the services to use those specific services.
-Nathan
Reply to: