[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default



On Thu, Apr 19, 2001 at 03:42:43AM +0200, PiotR wrote:

> Most of us don't have control over our dns records. Wich are under
> control of fascist Telecomunication Megacorporations such as
> Telefonica.

that is completely irrelevant. it doesn't matter whether you control the
DNS or not. it only matters that: if the PTR record exists, then it must
be accurate.

it looks to me like all you people who are complaining about
"ALL: PARANOID" are whining about something you don't understand. more
to the point, your whinges are based on false assumptions about how it
works.

ALL:PARANOID does *NOT* reject a connection if there is no reverse
lookup. the *ONLY* time when the PARANOID setting makes any difference
at all is when the reverse lookup does not match the "forward" lookup.

if there is no such PTR record, then it is ignored.

e.g. if IP address a.b.c.d has a d.c.b.a.in-addr.arpa PTR record saying
that it is dialup01.example.com then dialup01.example.com *MUST* have an
A record "IN A a.b.c.d".

if there are multiple A records and/or multiple PTR records (both of
which are perfectly valid occurrences) then *ALL* must fail to match
before PARANOID will reject the connection. in other words, any match is
good enough to "pass" the test.


ALL:PARANOID is a good default setting.  

ALL:ALL would be better, but PARANOID is a reasonable compromise.

if you don't like the default, then change it to whatever you like.


my /etc/hosts.deny looks like this:

ALL : ALL \
  : spawn = (/usr/local/sbin/tcpd-spawn "%a" "%h" "%u" "%d")& \
  : twist = /bin/echo unauthorised access attempt logged.  sysadmin notified.

tcpd-spawn is a script which logs the event and mails me details (and
does some other stuff too)

/etc/hosts.allow has various rules which override the default deny all
policy.

this is good security practice: deny everything except that which you
know you need to allow.


craig

--
craig sanders <cas@taz.net.au>

      GnuPG Key: 1024D/CD5626F0 
Key fingerprint: 9674 7EE2 4AC6 F5EF 3C57  52C3 EC32 6810 CD56 26F0



Reply to: