[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default



On Thu, Apr 19, 2001 at 07:28:09AM -0400, Michael Stone wrote:
> On Wed, Apr 18, 2001 at 11:25:23PM -0700, Adam McKenna wrote:
> > I think that the main point people are missing here is that in order for 
> > PARANOID to be anything other than an annoyance, it MUST co-exist with
> > hostname-based rules.
> 
> *YES*, this is correct! All those making silly statements about the
> security added by PARANOID should read the above. Study it carefully.
> Think about what security *used to be* at the time tcp wrappers were
> invented. [...] Suggesting that dns records should
> be used as a basis for such checks is dangerously misleading. 

If you think that tcpwrappers provides ANY sort of security whatsoever, you
need to be LARTED repeatedly with the most LARTy LART any LARTer can find.

Seriously.

If you want security, you run a stateful firewall (think: iptables) with -P
DROP, only a few explicit ports let through, only to the lucky few, no
telnet, etc. But does this *look* like Trustix? Nope. Not DeadRat, either,
but not Trustix. Debian has end-users, a lot of whom won't bother to set up
firewalls, because it's only a home box, and we can't force them to. But
setting up sane tcpwrappers defaults will go a LONG WAY. (Also see what I've
written below).

> Now I'm sure some people will argue that PARANOID helps the clueless who
> don't know that dns is trivially spoofed. But you can't have it both
> ways--you can't argue that PARANOID is good even though less experienced
> admins will have hard-to-diagnose problems, and that such admins need a
> lart, and then argue that PARANOID is undeniably necessary because it
> adds a shred of *false confidence* for clueless admins. Which of the two
> clueless admins is being led into *dangerous* territory?

I still have this on my system, and will until something like this is valid:
iptables -A INPUT -m dns ! --valid-both-ways -j DROP
But, it's not, and never will be, because this goes through to the kernel,
and DNS (especially both-way) in the kernel just sucks. So it is actually
still a nice thingy to have around, *even if* you happen to run a pretty
strong firewall, which I do.

-- 
Daniel Stone
Linux Kernel Developer
daniel@kabuki.openfridge.net

-----BEGIN GEEK CODE BLOCK-----
Version: 3.1
G!>CS d s++:- a---- C++ ULS++++$>B P---- L+++>++++ E+(joe)>+++ W++ N->++ !o
K? w++(--) O---- M- V-- PS+++ PE- Y PGP>++ t--- 5-- X- R- tv-(!) b+++ DI+++ 
D+ G e->++ h!(+) r+(%) y? UF++
------END GEEK CODE BLOCK------



Reply to: