Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default
On Wed, 18 Apr 2001, Adam McKenna wrote:
> On Wed, Apr 18, 2001 at 11:22:18PM +0200, Nils Jeppe wrote:
> > On Wed, 18 Apr 2001, Adam McKenna wrote:
> > > That's the point. This _DOES_NOT_ increase security. Anyone who believes it
> > > does is suffering from delusions. All it does is make life harder on
> > > sysadmins, who, if they don't know this is enabled, may spend hours chasing
> > > down this problem.
> > And I say it does indeed increase security because there ARE people who
> > will use DNS lookup for access control, especially new/inexperienced
> > admins or those who want a quick and dirty solution. I have seen one
> > attempt where spoofed reverse lookup was used in an attempt to gain
> > access, and where one attempt exists, many more actually happen.
> It provides a *sliver* more security for those people who are relying on DNS
> (or more to the point, BIND), for security, which is insecure in the first
> place. We shold be discouraging this behavior. I'd like to see the default
> be changed to the following --
ALL: PARANOID does not provide significant security benefits in protecting
your machine from attacks; but it *does* provide better audit logs by ensuring
that, if your machine is attacked or broken into, tcpd will prevent the
attacker from spoofing a DNS name *that he doesn't have control over*. This
means that, even if the attacker is playing tricks with DNS, the audit log
will still point the finger at the responsible parties. That's a valuable
feature, because it helps us improve security on the Internet for *everyone*.
Making it harder for script kiddies to get away with haX0ring boxes seems like
a worthy goal to me...