Re: ALL: PARANOID from /etc/hosts.deny ...
While /etc/hosts.deny is easy (I always use ALL: ALL), the real
problem is /etc/hosts.allow. The issue is that there is an
increasing number of services not run from inetd for which it
is not clear 1)if they are wrapped, 2)what daemon name to use?
Some examples:
- netbios-ssn, netbios-ns service names, but one must use the
binary names smbd, nmbd
- rpc.mountd binary, but one must use mountd daemon name
- rsync, apparently cannot be wrapped even when run from inetd
- ntpd, apparently not wrapped and without own access control
(but there was a recent remote exploit)
- printer, apparently not wrapped but with own access control
- sendmail, apparently wrapped, the only package I noticed
to add itself to /etc/hosts.{deny,allow}
Since tcp-wrappers are one important defense line it would be
very helpful to admins if this info is centrally available
(which is probably undoable), or at least that individual packages
are documented in README.Debian (like sendmail).
-Igor Mozetic
Reply to: