[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default

On Wed, Apr 18, 2001 at 08:47:42PM -0700, John H. Robinson, IV wrote:
> not all services are tcpwrapped.  as a matter of fact, exactly TWO types
> of services are tcpwrapped:
>       * those spawned from inetd, that explicitly have tcpd in their
>         invocation
>       * those compiled with libwrap
> 
> not all services suffer as such. so to say a system with ALL:ALL in
> hosts.deny (i hate that file. it should go away. replaced with
> echo ALL:ALL:DENY >> /etc/hosts.allow) disallows ALL networking is
> false. the suggestion to have localhost and localnet in hosts.allow, and
> all:all:deny in hosts.allow is a very good one.
> 
> SECURE by default. open up by a positive action.

If we want things to be secure then let's make them secure.  PARANOID is
half-assed security.  Let's ask people to decide at installation what IP
ADDRESSES they want in those files.  It's not that hard to do.

--Adam

-- 
Adam McKenna  <adam@debian.org>  <adam@flounder.net>
Reply to: