[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default



On Wed, Apr 18, 2001 at 11:36:01AM -0400, Alan Shutko wrote:
> Robert van der Meulen <rvdm@cistron.nl> writes:
> 
> > It providers very normal security; reasonable certainty that hosts
> > connecting to your services are 'sane' in the sense that they have
> > both a valid DNS entry, and a valid reverse DNS entry to match.
>
> What security does this give you, seriously?  I can't see that it
> gives you any security at all, but it does block clients from (say)
> people on company networks that don't do reverse DNS for internal
> machines.

no, it doesn't.

it does nothing when the client's IP address does not have an
.in-addr.arpa PTR record.

it only blocks clients where the reverse lookup is wrong:

1. client connects
2. tcpd resolves ip address to hostname(s)
3. if successful, tcpd resolves those hostname(s) to ip address(es)
4. if they don't match, then PARANOID setting rejects the connection.

> It only gives you security if you're blocking services based on
> hostname, since otherwise someone not authoritative for your domain
> could set up reverse DNS matching that host name.  But if you aren't
> doing that (and you shouldn't), it gives you nothing.

that's precisely what the PARANOID setting is for, to prevent that kind
of DNS forgery.

the point of it is that if someone is faking the DNS, then they're
probably up to no good so reject the connection without giving them a
chance to do any harm.

i'd bet that the main reason why this kind of DNS spoofing isn't more
common is that most unix sites have been running tcp wrappers for years,
before most script-kiddies came on the scene...and probably before many
of them were even born.

craig

--
craig sanders <cas@taz.net.au>

      GnuPG Key: 1024D/CD5626F0 
Key fingerprint: 9674 7EE2 4AC6 F5EF 3C57  52C3 EC32 6810 CD56 26F0



Reply to: