[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default

I think that the main point people are missing here is that in order for 
PARANOID to be anything other than an annoyance, it MUST co-exist with
hostname-based rules.

This means the admin MUST edit /etc/hosts.allow and/or hosts.deny and add
rules.  Why can't he decide then whether he wants to enable PARANOID
checking?  What does PARANOID buy on a host that has no other access rules?

If we really want to make the internet a better place, we should start doing
what the security conscious started doing YEARS ago, and stop relying on
hostnames and DNS information altogether.  Educate people and force them to
use IP-based access control.

This can be accomplished with a few lines of debconf code, and eliminate the
annoyance.  Why aren't we doing it?  So we can be pedantic and enforce
"correct" DNS configuration?  That's a bullshit reason.


Adam McKenna  <adam@debian.org>  <adam@flounder.net>

Reply to: