Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default
On Thu, Apr 19, 2001 at 03:22:26AM +0200, Robert van der Meulen wrote:
> Quoting Sam Hartman (email@example.com):
> > It only provides this if no one is spoofing. So, it only secures you
> > against misconfigured sites (often legitimate users who have sucky
> > ISPs) and attackers who don't know how to correctly spoof DNS.
> Spoofing, dns poisoning, /etc/hosts poisoning.
These are all reasons why people should not be relying on DNS or /etc/hosts
for access control.
> > If you believe it is useful, please provide specific examples that
> > show how it protects common system configurations against real
> > attacks.
> First, i am _not_ claiming that 'ALL: PARANOID' is a strong security
> mechanism. I am only claiming that it is just another (albeit small) layer
> of extra security, and a layer that prevents dumb or lazy sysadmins to do
> good configging. Having a big argument about a small line that rejects _bad_
> network configurations is st00pid.
> 'ALL: PARANOID' rejects hosts that have _incorrect_ dns configurations.
> 'ALL: PARANOID' keeps a small amount of spoofed/poisoned connects from being
> accepted by a daemon/inetd entry.
Not really. It only protects situations where the IN-ADDR.ARPA record is
purposely changed by someone in control of the reverse zone. If someone is
able to "spoof", (perform cache poisoning), they will be able to defeat
PARANOID "security" as well.
> Have debconf say something about this
> line when it is installed, mention it on some important places or try to
> teach people how to read logfiles, but do not allow inexperienced users to
> go on and make mistakes,misconfigure things and to think it's normal to do
> it that way.
We already ask people for local networks during installation. How hard would
it to add an extra question or two?
"Do you want to only allow connections from these local networks?"
"Do you want to add more allowed networks?"
etc. These are not hard questions. They require a minimal amount of
networking knowledge to answer, and if the user doesn't even have THAT much
clue, then they can just accept the default.
Adam McKenna <firstname.lastname@example.org> <email@example.com>