[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default

From: Robert van der Meulen <rvdm@cistron.nl>
> Quoting Andrew Pimlott (andrew@pimlott.ne.mediaone.net):
> > PARANOID is there for people who want to do DNS hostname based
> > authentication and have it be slightly less broken.  That's it.  Can
> > anyone else document a real case in which denying based on PARANOID
> > helped?
> There is no such thing as DNS hostname based authentication.
> Can you give an example where you would want to allow access from an
> inconsequently configured machine, that is run by someone who doesn't know
> how to configure DNSs ?
> The PARANOID setting helps in 'pushing' people to do correct DNS
> configuration, it helps auditing, it keeps your (and others') networks in a
> consequent and (DNS-wise) correctly configured state.
> If removing the 'ALL: PARANOID' line fixes things for you, or makes life
> easier for you, you should look into configuring your servers first, before
> requesting a workstation install that allows for access by broken
> machines.
> Machines with broken DNS should not be allowed to connect anyway, but should
> either be fixed, and in the remote possibility that you do want to allow
> access from broken machines, the admin can alter /etc/hosts.deny.

Tell that to local Venezuelan ISPs, no one has a clue about reverse DNS records, I have accounts on the biggest 2 (They would easily have more than 80% of market) and none of them knows anything about.  I think that "ALL: PARANOID" policy have no big security wins and, is a too aggresive for novice users that may be confused about why can't they access their systems, when it isn't even their fault.

Jose Rey

Reply to: