[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ALL: PARANOID from /etc/hosts.deny ...

On Thu, 19 Apr 2001, Igor Mozetic wrote:

>While /etc/hosts.deny is easy (I always use ALL: ALL), the real
>problem is /etc/hosts.allow. The issue is that there is an
>increasing number of services not run from inetd for which it
>is not clear 1)if they are wrapped, 2)what daemon name to use?
>Some examples:
>- netbios-ssn, netbios-ns service names, but one must use the
>  binary names smbd, nmbd

UDP/IPX--SMB predates windows' stealing of the BSD TCP stack...

>- rpc.mountd binary, but one must use mountd daemon name
>- rsync, apparently cannot be wrapped even when run from inetd
>- ntpd, apparently not wrapped and without own access control
>  (but there was a recent remote exploit)


>- printer, apparently not wrapped but with own access control


>- sendmail, apparently wrapped, the only package I noticed
>  to add itself to /etc/hosts.{deny,allow}

NNTP, hacked to TCP.

>Since tcp-wrappers are one important defense line it would be

Looks like it IS centrally available

>very helpful to admins if this info is centrally available
>(which is probably undoable), or at least that individual packages
>are documented in README.Debian (like sendmail).
>-Igor Mozetic

Sacred cows make the best burgers

Who is John Galt?  galt@inconnu.isu.edu, that's who!!!

Reply to: