[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default

On Fri, Apr 20, 2001 at 02:14:12AM +1000, Anthony Towns wrote:
> ALL: PARANOID is there because tcp wrapper logs are rendered meaningless
> without it (it'll just report the hostname, not the IP).

As Adam said, this is incorrect, but I'll say a bit more.  According
to Dan Bernstein (who would never say anything positive about tcp
wrappers unless it were incontrovertible), tcp wrappers always does
the paranoid double-check.  If it fails the paranoid check, it logs
the IP address and also remembers the failure in case you want that
fact in your logs (see the documentation of %n in hosts_access(5).

It remains of course that some other services may log the wrong
thing.  But 1. Adam showed that most services log IP addresses, and
2. even if you deny PARANOID, a clever attacker can probably fool
the other service using DJB's technique.

> Both adding and removing ALL:PARANOID from your hosts file should
> be a no-op in all ordinary situations. It's going to stay as it is
> for a while yet, though.

You won't consider "ALL EXCEPT ssh: PARANOID"?

> If you're an admin who doesn't like it, fire
> up vi and edit it. If you're a user who doesn't like it, fix your DNS,
> or get your ISP to fix it for you. It's not a lot to ask.

This ignores the users who frequently use new networks.  Many people
don't even notice PARANOID until they try to log in from some new
network and find themselves locked out.  Since they may only be on
this network briefly, they might just assume that the server was
down during this time, and never get to the root of the problem.  I
understand your position, but realize that users do suffer from it.

> If you want to do something useful, work on making it so that telnetd and
> inetd can be made optional

How would this help?  I'm sure many people already install without
telnetd, while inetd has nothing (I can see) to do this with issue.

> , work on making it so that hosts.deny can be
> meaningfully configured during an install

That will be nice :-)


Reply to: