Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default

To: debian-devel@lists.debian.org
Subject: Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default
From: andrew@pimlott.ne.mediaone.net (Andrew Pimlott)
Date: Fri, 20 Apr 2001 16:46:51 -0400
Message-id: <[🔎] 20010420164651.B26919@pimlott.ne.mediaone.net>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] 20010420120855.Z7546@flounder.net>; from adam@debian.org on Fri, Apr 20, 2001 at 12:08:55PM -0700
References: <[🔎] 20010418091902.O12115@flounder.net> <[🔎] 20010418164841.C12115@flounder.net> <[🔎] 20010418165750.U4217@osdlab.org> <[🔎] 01041903332300.00329@lain> <[🔎] 20010418204742.C16792@ucsd.edu> <[🔎] 20010419082418.D15227@osdlab.org> <[🔎] 20010420021412.A29144@azure.humbug.org.au> <[🔎] 20010420135750.A26919@pimlott.ne.mediaone.net> <[🔎] 20010420120855.Z7546@flounder.net>

On Fri, Apr 20, 2001 at 12:08:55PM -0700, Adam McKenna wrote:
> The fact that "who" and "finger" do not show the correct hostnames in this
> case is a compelling argument for keeping the paranoid checks in for now,
> BUT, this should be addressed as a shortcoming in these programs, and not
> swept under the rug.  Both obtain obtain their data from the system utmp/wtmp 
> files which do contain the IP addresss.

I think "compelling" is a little strong.  The right information gets
logged, but some programs misanalyze it.  This is not much different
from the (no doubt common) case where an IP address is logged to a
log file, and the admin runs "nslookup 1.2.3.4" to trace it.[1]  Ie,
any admin savvy to DNS games will naturally mistrust the output of
"who", and cross-check it himself (which he can do by getting the IP
address from "last").[2]  Contrariwise, the un-savvy admin will be a
dupe until all common DNS tools do paranoid checking (or until a
savvy admin helps him analyze his logs).

Also, there is typically a relatively long time lapse between the
login, and the admin running "who", so it will be easy for the
attacker to use a legitimate hostname when logging in, then forge it
when the admin runs who.

Andrew

[1] What is the right way to trace an IP address if the hostname is
forged, anyway?

[2] Does there exist a simple shell utility to perform a paranoid
name lookup?

Reply to:

Follow-Ups:
- Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default
  - From: Brian May <bam@debian.org>

References:
- Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default
  - From: Adam McKenna <adam@debian.org>
- Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default
  - From: Adam McKenna <adam@debian.org>
- Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default
  - From: Nathan Dabney <smurf@osdlab.org>
- Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default
  - From: Eloi Granado <kaneda@omega.resa.es>
- Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default
  - From: "John H. Robinson, IV" <jhriv@ucsd.edu>
- Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default
  - From: Nathan Dabney <smurf@osdlab.org>
- Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default
  - From: Anthony Towns <aj@azure.humbug.org.au>
- Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default
  - From: andrew@pimlott.ne.mediaone.net (Andrew Pimlott)
- Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default
  - From: Adam McKenna <adam@debian.org>

Prev by Date: Re: Cryptic messages from installers
Next by Date: Packages to run kernel 2.4.x on potato (release 10)
Previous by thread: Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default
Next by thread: Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default
Index(es):
- Date
- Thread