Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default
On Wed, Apr 18, 2001 at 06:28:46PM -0500, Jos? Luis Rey wrote:
> From: Robert van der Meulen <firstname.lastname@example.org>
> > Quoting Andrew Pimlott (email@example.com):
> > > PARANOID is there for people who want to do DNS hostname based
> > > authentication and have it be slightly less broken. That's it. Can
> > > anyone else document a real case in which denying based on PARANOID
> > > helped?
> > There is no such thing as DNS hostname based authentication.
> > Can you give an example where you would want to allow access from an
> > inconsequently configured machine, that is run by someone who doesn't know
> > how to configure DNSs ?
> > The PARANOID setting helps in 'pushing' people to do correct DNS
> > configuration, it helps auditing, it keeps your (and others') networks in a
> > consequent and (DNS-wise) correctly configured state.
> > If removing the 'ALL: PARANOID' line fixes things for you, or makes life
> > easier for you, you should look into configuring your servers first, before
> > requesting a workstation install that allows for access by broken
> > machines.
> > Machines with broken DNS should not be allowed to connect anyway, but should
> > either be fixed, and in the remote possibility that you do want to allow
> > access from broken machines, the admin can alter /etc/hosts.deny.
> Tell that to local Venezuelan ISPs, no one has a clue about reverse DNS records, I have accounts on the biggest 2 (They would easily have more than 80% of market) and none of them knows anything about. I think that "ALL: PARANOID" policy have no big security wins and, is a too aggressive for novice users that may be confused about why can't they access their systems, when it isn't even their fault.
It doesn't have to be a big security win. It's still a win. It provides the
additional security as opposed to shipping with the distro's pants down.
If they are confused and want to open up access to the outside world, it's
time to learn just a tad about security. I think shipping with the most
security possible (within reason) is a better proponent for secure and
informed administrators than shipping with everything open.
It's not too aggressive. Would you prefer we ship with ssh allowing root logins and a default of no password for root so users can us without having to
understand what they are doing?