[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default

Adam McKenna <adam@debian.org> wrote:
> How is one going to exploit a vulnerability in SSH if the connection is
> dropped before they can input any data?

By finding a vulnerability in TCP wrappers, should one exist, or even in the
TCP stack of whatever operating system you're using.

Using a stateful firewall means the attacker doesn't even get that far.

> [ ... ] "Secure"
> doesn't exist.  There's only "as secure as I need it".

And that's obviously not as secure as I like it.

> Most web servers on the internet supply public information, thus they must be
> reachable by all hosts.  With this in mind I don't see how the above
> paragraph is even applicable to the current discussion.

It started as your example, I just carried it along.

> [ ... ] This thread is about
> the Debian default configuration of tcpd, which is currently broken.

I wasn't addressing anything to do with the Debian default configuration of
tcpd. I'm happy with how it is now, and don't care enough to fill the list
with more crap about it.

What I was addressing is your assertion that you can fully protect a machine
from any attack using IP-based access lists with TCP wrappers instead of a
stateful firewall. That's a little piece of misinformation that everyone
can do without.

> You don't know me -- don't presume to know what I do and do not understand.

You're right, I don't know you. But I've read several posts of yours, and
like I said, you seem to demonstrate a fundamental lack of understanding on
the topic you're talking about.
Sam Couter          |   Internet Engineer   |   http://www.topic.com.au/
sam@topic.com.au    |   tSA Consulting      |
OpenPGP key ID:       DE89C75C,  available on key servers
OpenPGP fingerprint:  A46B 9BB5 3148 7BEA 1F05  5BD5 8530 03AE DE89 C75C

Attachment: pgplqpffPtKBS.pgp
Description: PGP signature

Reply to: