[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default

On Wed, 18 Apr 2001, Adam McKenna wrote:

> On Wed, Apr 18, 2001 at 11:22:18PM +0200, Nils Jeppe wrote:
> > On Wed, 18 Apr 2001, Adam McKenna wrote:

> > > That's the point.  This _DOES_NOT_ increase security.  Anyone who believes it
> > > does is suffering from delusions.  All it does is make life harder on
> > > sysadmins, who, if they don't know this is enabled, may spend hours chasing
> > > down this problem.

> > And I say it does indeed increase security because there ARE people who
> > will use DNS lookup for access control, especially new/inexperienced
> > admins or those who want a quick and dirty solution. I have seen one
> > attempt where spoofed reverse lookup was used in an attempt to gain
> > access, and where one attempt exists, many more actually happen.

> It provides a *sliver* more security for those people who are relying on DNS
> (or more to the point, BIND), for security, which is insecure in the first
> place.  We shold be discouraging this behavior.  I'd like to see the default
> be changed to the following --

ALL: PARANOID does not provide significant security benefits in protecting
your machine from attacks; but it *does* provide better audit logs by ensuring
that, if your machine is attacked or broken into, tcpd will prevent the
attacker from spoofing a DNS name *that he doesn't have control over*.  This
means that, even if the attacker is playing tricks with DNS, the audit log
will still point the finger at the responsible parties.  That's a valuable
feature, because it helps us improve security on the Internet for *everyone*.
Making it harder for script kiddies to get away with haX0ring boxes seems like
a worthy goal to me...

Steve Langasek
postmodern programmer

Reply to: