Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default
On Thu, Apr 19, 2001 at 04:53:43AM +0200, Robert van der Meulen wrote:
> Quoting PiotR (email@example.com):
> > > The question here is if we want to ship debian systems with or without the
> > > 'PARANOID' rule. If we want to enable people to have their systems accessed
> > > by r- utilities on networks with badly configured DNS systems, with
> > > sysadmins lacking the spirit to either fix their network or fix /etc/hosts,
> > > we should definately remove 'PARANOID' from /etc/hosts.deny.
> > > If we want to 'Do The Right Thing', enforce well-configured DNS systems, and
> > ^^^^^^^^
> > IMHO that exceeds our objetives and those of the debian developers. I think is
> > not debian's objetive to enforce a well structurated internet, which is not.
> > It's by far more important that our operating system doesn't act weirdly when
> > it shouldn't. Not to mention givin unecesary headaches to netadmins.
> A netadmin that gets a headache from 'weird' behavior such as this, isn't.
> Look around you. We already 'enforce' a structured internet.
> We enforce RFC's on mail headers, on network protocols. We disallow remote
> root logins on our sshd. If the word 'enforce' is what's bothering you,
> replace it with 'motivate' or something with a similar meaning.
> > And denying network services, wich might be crucial. Let's think in usability
> > first: I don't like my servers denying conexions to clients ( wich could keep
> > my company from making money or giving service to customers ). Is that
> > supposed exquisite-security-enhacement worth denying a lot of conexions,
> > with the consequences that this might have?
> Frankly, i don't care about your company losing money. If your company has
> sysadmins that are too stupid to get either DNS and/or tcpwrappers to work
> correctly, they shouldn't be making money in IT anyways. (Especially when
> they don't get that they can _remove_ the line if it keeps the company from
> making money )
> It is not the Debian objective for your company to be profitable. It is the
> Debian objective to build a Free, ´Better' operating system.
Yes you are right here, I was writting that as in an hipotetical case. I run no company, I'm an student and network administrator. And my objetive here is to point out that this configuration directive is worse than useles, its against debian defaults, and causes a lot of annoyance.
> > I strongly believe that the answer is NO. And so it should be removed,
> > and left as an option for PARANOID netadmins, which want a false feel of dns
> > based security.
> It is not paranoia to add an extra layer of security, and it is not paranoia
> to have a configuration setting to add some extra coherency to a network.
> Having this setting in /etc/hosts.deny does _not_ give a false feel of dns
> based security, it gives more clarity and ease (ok. this sounds too
> marketing-technically-correct, so easy on the effect please).
> I personally really don't know what the fuss is about. This is a
> security-enhancing setting (i know; not a big one, securitywise) that gives
> problems with people having broken DNS's. These people will have problems
> with other systems as well. They will have problems irc-ing, ftp-ing and
> ssh-ing to a _lot_ of other machines. They Will Notice. We're talking about
> a setting that has been active for quite some time now. The amount of people
> having problems with it seems small. A lot of people want this feature or
> will enable it (when removed). If it rains, you get wet - if you have broken
> DNS, you get problems connecting to Quite Some Sites.
The fact that has been annoying debian users worlwide for some time doesn't justify that we cannot pause to think it twice before releasing woody with this.
RFC's and Proposed Standards are there for something. But making our server deny all conexions from worldwide-broken-inverse-dns clients with no apparent security-enhacemente is very different. Moreover nobody has proven that enhaces any security in the system yet. I only see obtuse views about exquisite security in post installed systems, wich is wrong. Specially when you have to pay de price of denying conexions. Besides I have seen various posts that say their ISP's doesn't know anything about inverse dns. And I positively know that there are a LOT of public ip's with this kind of broken dns. We already have binds' logs to tell us who has misconfigured dns servers.
> Linux Generation
> encrypted mail preferred. finger firstname.lastname@example.org for my GnuPG/PGP key.
> Don't panic.
Pedro Larroy Tovar. PiotR | http://omega.resa.es/piotr/