[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default


Quoting Sam Hartman (hartmans@mit.edu):
> It only provides this if no one is spoofing.  So, it only secures you
> against misconfigured sites (often legitimate users who have sucky
> ISPs) and attackers who don't know how to correctly spoof DNS.
Spoofing, dns poisoning, /etc/hosts poisoning.

> Especially for protocols like ssh which have strong authentication and
> don't care about the DNS security for proper operation, this line adds
> no security and simply annoyes authorized users.
Yep, 'ssh' doesn't win from this.

> If you believe it is useful, please provide specific examples that
> show how it protects common system configurations against real
> attacks.
First, i am _not_ claiming that 'ALL: PARANOID' is a strong security
mechanism. I am only claiming that it is just another (albeit small) layer
of extra security, and a layer that prevents dumb or lazy sysadmins to do
good configging. Having a big argument about a small line that rejects _bad_
network configurations is st00pid.
'ALL: PARANOID' rejects hosts that have _incorrect_ dns configurations.
'ALL: PARANOID' keeps a small amount of spoofed/poisoned connects from being
accepted by a daemon/inetd entry.
'ALL: PARANOID' is a small, almost meaningless extra layer.
It also adds security, and enforces proper network configuration.

A system that out-of-the-box allows connections from systems that are not
properly configured is _not_ good. Have debconf say something about this
line when it is installed, mention it on some important places or try to
teach people how to read logfiles, but do not allow inexperienced users to
go on and make mistakes,misconfigure things and to think it's normal to do
it that way.

			      Linux Generation
   encrypted mail preferred. finger rvdm@debian.org for my GnuPG/PGP key.
	Dance is the vertical expression of a horizontal intention.

Reply to: