Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default
On Thu, Apr 19, 2001 at 09:41:14PM -0400, Michael Stone wrote:
> On Fri, Apr 20, 2001 at 08:12:44AM +1000, Hamish Moffatt wrote:
> > I agree with Craig. Bad DNS (disagreement between A and PTR records)
> > suggests that somebody is up to no good, so why not drop them?
> No, it *doesn't* suggest that someone is up to no good.
yes, it does. note the word "suggest" rather than the phrase "prove
beyond all doubt".
i don't see any reason to give the benefit of the doubt in this
if you don't like the default, then you know where your favourite text
editor is. enjoy.
> A real black hat is going to spoof both forward and reverse lookups,
> or none at all.
there's a hell of a lot more clueless script-kiddie wannabe "black hats"
than real ones...probably thousands of wannabes for every real one.
these wannabes are the ones that will be blocked by the simpler/older
forms of protection like tcp-wrappers "ALL: PARANOID". they may not be
very skilled, but they're still a nuisance (and possibly even a danger
if they get lucky)
> It's far, far more likely that someone's got a screwed up dns server.
not in my experience. i've seen missing .in-addr.arpa records, i've seen
dns-spoofing attempts, i've seen all kinds of broken dns but i don't
recall ever seeing *legitimately* incorrect .in-addr.arpa PTR records.
which is odd, when you consider the huge song and dance some people have
been making about it on this list over the last few days. you'd think
from all the noise that it was an extremely common, every day occurence.
or maybe it's not so odd when you think about it...the kind of "network
admins" (and i use that term very loosely) who would bugger up their
.in-addr.arpa records are also the kind of admins who either don't know
about reverse lookups or couldn't be bothered doing them anyway.
craig sanders <email@example.com>
GnuPG Key: 1024D/CD5626F0
Key fingerprint: 9674 7EE2 4AC6 F5EF 3C57 52C3 EC32 6810 CD56 26F0