Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default
On Wed, Apr 18, 2001 at 03:13:38PM -0500, Stephen Langasek wrote:
> On Wed, 18 Apr 2001, Andrew Pimlott wrote:
> > On Wed, Apr 18, 2001 at 05:25:49PM +0200, Robert van der Meulen wrote:
> > > Quoting PiotR (email@example.com):
> > > > Having ALL: PARANOID in /etc/hosts.deny only causes problems and doesn't
> > > > provide any special security. Its very annoing when you can't access some
> > > > server because this. Or worse, the clients doesn't accept the server stuff.
> > > You're right. it doesn't provide special security.
> > > It providers very normal security; reasonable certainty that hosts
> > > connecting to your services are 'sane' in the sense that they have both a
> > > valid DNS entry, and a valid reverse DNS entry to match.
> > The default Debian security model is basically that anyone with the
> > right password or private key gets in, regardless of the "sanity" of
> > the client host. Adding this one check is arbitrary. It still
> > allows IP addresses that don't reverse resolve. It still allows
> > hosts that are insane (or evil) but have competant DNS
> > administrators. It doesn't improve the audit trail, since anyone
> > who can control an IP addr -> hostname lookup could just as well
> > have returned no hostname (note: tcpd always performs the IP address
> > -> hostname -> IP address cross-check, so it won't ever log a forged
> > name).
> The two most common causes of a forward-reverse mismatch, in my experience,
> are 1) delinquent DNS administrators, and 2) delinquent "other"s who are
> trying to mislead the box's administrator into believing that the attack is
> coming from somewhere other than it really is. If you have /any/ software
> on your machine which logs hostnames instead of IPs, and your software
> doesn't check to make sure the forward and reverse match, it's relatively
> easy for an attacker to throw you off his trail. ALL: PARANOID *does*
> improve the audit trail, because it prevents an attacker from placing
> misleading information in your audit logs. Yes, if someone has control over
> their own DNS, they can omit reverse nameservice or provide a reverse that
> has a matching forward; but if they do that, they're no longer hiding their
Didn't you heard about a lot of ISP's who don't know what an inverse dns record is? Didn't you know that you can't set up your own inverse dns record if you don't own the whole network?
Please visit http://ipindex.dragonstar.net and find who owns the networks. You won't find a lot of end-user single IP's.
> Steve Langasek
> postmodern programmer
Pedro Larroy Tovar. PiotR | http://omega.resa.es/piotr/