[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default


Quoting PiotR (piotr@omega.resa.es):
> > The question here is if we want to ship debian systems with or without the
> > 'PARANOID' rule. If we want to enable people to have their systems accessed
> > by r- utilities on networks with badly configured DNS systems, with
> > sysadmins lacking the spirit to either fix their network or fix /etc/hosts,
> > we should definately remove 'PARANOID' from /etc/hosts.deny.
> > If we want to 'Do The Right Thing', enforce well-configured DNS systems, and
>                                        ^^^^^^^^
> IMHO that exceeds our objetives and those of the debian developers. I think is 
> not debian's objetive to enforce a well structurated internet, which is not. 
> It's by far more important that our operating system doesn't act weirdly when 
> it shouldn't. Not to mention givin unecesary headaches to netadmins. 
A netadmin that gets a headache from 'weird' behavior such as this, isn't.
Look around you. We already 'enforce' a structured internet.
We enforce RFC's on mail headers, on network protocols. We disallow remote
root logins on our sshd. If the word 'enforce' is what's bothering you,
replace it with 'motivate' or something with a similar meaning.

> And denying network services, wich might be crucial. Let's think in usability 
> first: I don't like my servers denying conexions to clients ( wich could keep 
> my company from making money or giving service to customers ). Is that 
> supposed exquisite-security-enhacement worth denying a lot of conexions, 
> with the consequences that this might have?   
Frankly, i don't care about your company losing money. If your company has
sysadmins that are too stupid to get either DNS and/or tcpwrappers to work
correctly, they shouldn't be making money in IT anyways. (Especially when
they don't get that they can _remove_ the line if it keeps the company from
making money )
It is not the Debian objective for your company to be profitable. It is the 
Debian objective to build a Free, īBetter' operating system.

> I strongly believe that the answer is NO. And so it should be removed, 
> and left as an option for PARANOID netadmins, which want a false feel of dns 
> based security.
It is not paranoia to add an extra layer of security, and it is not paranoia
to have a configuration setting to add some extra coherency to a network.
Having this setting in /etc/hosts.deny does _not_ give a false feel of dns
based security, it gives more clarity and ease (ok. this sounds too
marketing-technically-correct, so easy on the effect please).

I personally really don't know what the fuss is about. This is a
security-enhancing setting (i know; not a big one, securitywise) that gives
problems with people having broken DNS's. These people will have problems
with other systems as well. They will have problems irc-ing, ftp-ing and
ssh-ing to a _lot_ of other machines. They Will Notice. We're talking about
a setting that has been active for quite some time now. The amount of people
having problems with it seems small. A lot of people want this feature or
will enable it (when removed). If it rains, you get wet - if you have broken
DNS, you get problems connecting to Quite Some Sites.


			      Linux Generation
   encrypted mail preferred. finger rvdm@debian.org for my GnuPG/PGP key.
				Don't panic.

Reply to: