Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default
On Fri, Apr 20, 2001 at 12:08:55PM -0700, Adam McKenna wrote:
> The fact that "who" and "finger" do not show the correct hostnames in this
> case is a compelling argument for keeping the paranoid checks in for now,
> BUT, this should be addressed as a shortcoming in these programs, and not
> swept under the rug. Both obtain obtain their data from the system utmp/wtmp
> files which do contain the IP addresss.
I think "compelling" is a little strong. The right information gets
logged, but some programs misanalyze it. This is not much different
from the (no doubt common) case where an IP address is logged to a
log file, and the admin runs "nslookup 22.214.171.124" to trace it. Ie,
any admin savvy to DNS games will naturally mistrust the output of
"who", and cross-check it himself (which he can do by getting the IP
address from "last"). Contrariwise, the un-savvy admin will be a
dupe until all common DNS tools do paranoid checking (or until a
savvy admin helps him analyze his logs).
Also, there is typically a relatively long time lapse between the
login, and the admin running "who", so it will be easy for the
attacker to use a legitimate hostname when logging in, then forge it
when the admin runs who.
 What is the right way to trace an IP address if the hostname is
 Does there exist a simple shell utility to perform a paranoid