Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default
>>>>> "Daniel" == Daniel Stone <daniel@kabuki.openfridge.net> writes:
Daniel> On Thu, Apr 19, 2001 at 11:49:30PM +1000, Hamish Moffatt
Daniel> wrote:
>> Don't you think standards are important? Properly configured
>> DNS has both forward-lookup A records and reverse-lookup PTR
>> records. We shouldn't encourage anyone to compromise on that,
>> because it is not difficult to configure.
Daniel> Well, 203.36.158.121 doesn't reverse resolve to anything
Daniel> because Telstra are absolutely bloody useless, and can't
Daniel> delegate the chunk of 203.36.158.* through to us
Daniel> ... *sigh*. No PTR is alright, because of valid reasons
Daniel> like this, and the fact that you can do WHOISes on the
Daniel> IPs. I say this because you can WHOIS an IP, but you can't
Daniel> exactly WHOIS scriptkiddie.fuckyou.microsoft.com.
According to Craig, You shouldn't have any problems.
It is only if 203.36.158.121 reversed resolved into, say,
"snoopy.apana.org.au" you would have problems.
So lets try something:
snoopy:~# host dewey
dewey.chocbit.org.au A 192.168.87.134
snoopy:~# host 192.168.87.134
Name: snoopy.chocbit.org.au
Address: 192.168.87.134
snoopy:~# host snoopy
snoopy.chocbit.org.au A 192.168.87.129
snoopy:~# host 192.168.87.129
Name: snoopy.chocbit.org.au
Address: 192.168.87.129
so the resolve entry points to snoopy, which is wrong.
with paranoid:
Apr 20 09:20:01 snoopy telnetd[31937]: warning: /etc/hosts.allow, line 9: host name/address mismatch: 192.168.87.134 != snoopy.chocbit.org.au
Apr 20 09:20:01 snoopy telnetd[31937]: refused connect from 192.168.87.134
without paranoid:
Apr 20 09:21:13 snoopy telnetd[31957]: connect from 192.168.87.134
no host name was logged. strange.
with correct address:
Apr 20 09:22:35 snoopy telnetd[31969]: connect from 192.168.87.134
Apr 20 09:22:43 snoopy telnetd[31972]: connect from 192.168.87.134
However, some things are wrong:
[501] [snoopy:bam] ~ >who
[...]
bam pts/6 Apr 20 09:26 (snoopy.chocbit.org.au)
[502] [snoopy:bam] ~ >last
bam pts/6 snoopy.chocbit.o Fri Apr 20 09:26 still logged in
[...]
(I can't test this with telnet, as the heimdal-clients telnet uses the
IP address for everything).
However PARANOID does not protect everything, eg. apache logs the
wrong address:
snoopy.chocbit.org.au - - [20/Apr/2001:09:27:39 +1000] "GET / HTTP/1.0" 200 667
snoopy.chocbit.org.au - - [20/Apr/2001:09:28:37 +1000] "GET / HTTP/1.0" 200 667
snoopy.chocbit.org.au - - [20/Apr/2001:09:28:39 +1000] "GET / HTTP/1.0" 200 667
snoopy.chocbit.org.au - - [20/Apr/2001:09:28:40 +1000] "GET / HTTP/1.0" 200 667
--
Brian May <bam@debian.org>
Reply to: