[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default

On Fri, Apr 20, 2001 at 12:08:55PM -0700, Adam McKenna wrote:
> The fact that "who" and "finger" do not show the correct hostnames in this
> case is a compelling argument for keeping the paranoid checks in for now,
> BUT, this should be addressed as a shortcoming in these programs, and not
> swept under the rug.  Both obtain obtain their data from the system utmp/wtmp 
> files which do contain the IP addresss.

I think "compelling" is a little strong.  The right information gets
logged, but some programs misanalyze it.  This is not much different
from the (no doubt common) case where an IP address is logged to a
log file, and the admin runs "nslookup" to trace it.[1]  Ie,
any admin savvy to DNS games will naturally mistrust the output of
"who", and cross-check it himself (which he can do by getting the IP
address from "last").[2]  Contrariwise, the un-savvy admin will be a
dupe until all common DNS tools do paranoid checking (or until a
savvy admin helps him analyze his logs).

Also, there is typically a relatively long time lapse between the
login, and the admin running "who", so it will be easy for the
attacker to use a legitimate hostname when logging in, then forge it
when the admin runs who.


[1] What is the right way to trace an IP address if the hostname is
forged, anyway?

[2] Does there exist a simple shell utility to perform a paranoid
name lookup?

Reply to: