[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default

On Thu, Apr 19, 2001 at 08:24:18AM -0700, Nathan Dabney wrote:
> We cannot expect the user to want to accept connections from the local net.  I
> do agree however that localhost needs to be there ;)

This is wrong. If someone installs, say, sshd, telnetd, apache,
fingerd, identd, a web server, sendmail, and a whole host of other
software, they can and will expect it to be accessible from the local
network. Additionally, generally speaking, people who don't want
such things accessible externally are, generally, better off just not
installing them in the first place.  bash: Fmt: command not found

ALL: PARANOID is there because tcp wrapper logs are rendered meaningless
without it (it'll just report the hostname, not the IP). There are
probably a few bugs involved here: in the ISPs and DNS entries with
faulty PTR records, in tcpd not being more careful about the information
it logs. Both adding and removing ALL:PARANOID from your hosts file
should be a no-op in all ordinary situations. It's going to stay as it
is for a while yet, though. If you're an admin who doesn't like it, fire
up vi and edit it. If you're a user who doesn't like it, fix your DNS,
or get your ISP to fix it for you. It's not a lot to ask.

If you want to do something useful, work on making it so that telnetd and
inetd can be made optional, work on making it so that hosts.deny can be
meaningfully configured during an install (keeping in mind each of the
(hypothetical) word processing grandmother, the dictatorial sysadmin
who knows everything and the Debian user since 0.93R6 who quite likes
it as it is at the moment), or just work on *something*.

If anyone has bothered to look, there are already bugs filed about this
issue (43782, 55528, 62145). Of all the easy possibilities, the current
one is the one the maintainer thinks is best. All the hard possiblities
are probably too much more work than posting to -devel for anyone to be
bothered making a workable implementation.

Cheers,
aj (netbase maintainer)

-- 
Anthony Towns <aj@humbug.org.au> <http://azure.humbug.org.au/~aj/>
I don't speak for anyone save myself. GPG signed mail preferred.

``_Any_ increase in interface difficulty, in exchange for a benefit you
  do not understand, cannot perceive, or don't care about, is too much.''
                      -- John S. Novak, III (The Humblest Man on the Net)
Reply to: