[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: tcp wrapper

On 27 Oct 2004, Mike Mestnik wrote:
> --- Daniel Pittman <daniel@rimspace.net> wrote:
>> On 25 Oct 2004, michal wrote:
>>> What's the difference between firewall and TCP wrapper? 


>> You can't use iptables to do the DNS reverse lookup stuff that
>> TCPwrappers can do at connection time, but then, you don't do that if
>> you want security anyway. :)
> A special note for the pre ssh days. When telineting into a box it may
> appere to be unresponice for upto a minuet!  

Only if the site you were talking to had broken reverse DNS.  Many years
ago, when telnet was the common way of making these connections, broken
reverse DNS was the exception rather than the rule, really.

> This is due to a *REVERSE* dns lookup done by the *SERVER*. It's not
> posible to bypass this by using the IP for your telnet client(it's not
> the same thing).


> This lookup is a great *tool* for client authentication

No, it isn't.  It is a completely useless tool for client
authentication, as it relies on an insecure tools completely controlled
by the client connection site.

> (provided the connection is not spoofed), 

...or that the attacker has not pushed false information into your local
DNS server.

...or that the attacker has not simply put false information in their
reverse DNS entries.

> for instance you can block all of mpaa.org and microsoft.com from
> using your inetd started servers. Hmm, maby I'l get gtkg to link with
> tcpwrapper. :)

Hey, why not remove your firewall entirely, and put a banner on every
service that asks:

    Please, mister attacker, would you leave me alone?

That gives you about as much security as trusting reverse DNS data does.

Heck, even in the presence of DNSSEC signed data the reverse entries are
still under the complete control of the attacker.  Security?  I don't
think so.

It has been discovered that C++ provides a remarkable facility for concealing
the trival details of a program -- such as where its bugs are.
        -- David Keppel

Reply to: