[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default

On Wed, Apr 18, 2001 at 02:58:33PM -0700, Adam McKenna wrote:
> On Wed, Apr 18, 2001 at 11:22:18PM +0200, Nils Jeppe wrote:
> > On Wed, 18 Apr 2001, Adam McKenna wrote:
> > 
> > > That's the point.  This _DOES_NOT_ increase security.  Anyone who believes it
> > > does is suffering from delusions.  All it does is make life harder on
> > > sysadmins, who, if they don't know this is enabled, may spend hours chasing
> > > down this problem.
> > 
> > And I say it does indeed increase security because there ARE people who
> > will use DNS lookup for access control, especially new/inexperienced
> > admins or those who want a quick and dirty solution. I have seen one
> > attempt where spoofed reverse lookup was used in an attempt to gain
> > access, and where one attempt exists, many more actually happen.
> It provides a *sliver* more security for those people who are relying on DNS 
> (or more to the point, BIND), for security, which is insecure in the first 
> place.  We shold be discouraging this behavior.  I'd like to see the default
> be changed to the following --
> hosts.deny
> hosts.allow
> ALL:
> ALL: (local network)

I see another guru missing contact with reality here.
Let's all compile the kernel by hand! rm -f /usr/src/linux/MAKEFILE

Pedro Larroy Tovar. PiotR | http://omega.resa.es/piotr/

Reply to: