Re: tcp wrapper

To: Daniel Pittman <daniel@rimspace.net>
Cc: debian-firewall@lists.debian.org
Subject: Re: tcp wrapper
From: Mike Mestnik <cheako911@yahoo.com>
Date: Tue, 26 Oct 2004 16:40:48 -0700 (PDT)
Message-id: <[🔎] 20041026234048.38363.qmail@web11901.mail.yahoo.com>
In-reply-to: <[🔎] 87zn295au5.fsf@enki.rimspace.net>

--- Daniel Pittman <daniel@rimspace.net> wrote:

> On 27 Oct 2004, Mike Mestnik wrote:
> > --- Daniel Pittman <daniel@rimspace.net> wrote:
> >> On 25 Oct 2004, michal wrote:
> >>> What's the difference between firewall and TCP wrapper? 
> 
> [...]
> 
> >> You can't use iptables to do the DNS reverse lookup stuff that
> >> TCPwrappers can do at connection time, but then, you don't do that if
> >> you want security anyway. :)
> >
> > A special note for the pre ssh days. When telineting into a box it may
> > appere to be unresponice for upto a minuet!  
> 
> Only if the site you were talking to had broken reverse DNS.  Many years
> ago, when telnet was the common way of making these connections, broken
> reverse DNS was the exception rather than the rule, really.
> 
> > This is due to a *REVERSE* dns lookup done by the *SERVER*. It's not
> > posible to bypass this by using the IP for your telnet client(it's not
> > the same thing).
> 
> True.
> 
> > This lookup is a great *tool* for client authentication
> 
> No, it isn't.  It is a completely useless tool for client
> authentication, as it relies on an insecure tools completely controlled
> by the client connection site.
> 
Your correct, but by tool I mean like a rock where a hammer is needed.

> > (provided the connection is not spoofed), 
> 
> ...or that the attacker has not pushed false information into your local
> DNS server.
> 
DNS spoof.

> ...or that the attacker has not simply put false information in their
> reverse DNS entries.
> 
This is less likely to happen, now that some DNS and Domain admins are
getting vary picky about these things.  Microsoft even has a solution
using deligation of sorts, but that's about all I know about it.

> > for instance you can block all of mpaa.org and microsoft.com from
> > using your inetd started servers. Hmm, maby I'l get gtkg to link with
> > tcpwrapper. :)
> 
> Hey, why not remove your firewall entirely, and put a banner on every
> service that asks:
> 
When using a rock, it's best to use a sturdy stick and some duck-tape as a
handel.

>     Please, mister attacker, would you leave me alone?
> 
> That gives you about as much security as trusting reverse DNS data does.
> 
Only if you remove your firewall entirely.  It's an added mesurment, for
where the usage of DNS is a plus.

> 
> Heck, even in the presence of DNSSEC signed data the reverse entries are
> still under the complete control of the attacker.  Security?  I don't
> think so.
> 
Your assuming that every one has access to change there revers DNS.  Lets
say you wanted to block all attbb users. 

>       Daniel
> -- 
> It has been discovered that C++ provides a remarkable facility for
> concealing
> the trival details of a program -- such as where its bugs are.
>         -- David Keppel
> 



		
__________________________________
Do you Yahoo!?
Yahoo! Mail - Helps protect you from nasty viruses.
http://promotions.yahoo.com/new_mail

Reply to:

Follow-Ups:
- Re: tcp wrapper
  - From: Daniel Pittman <daniel@rimspace.net>

References:
- Re: tcp wrapper
  - From: Daniel Pittman <daniel@rimspace.net>

Prev by Date: Re: Help with pptp
Next by Date: Re: tcp wrapper
Previous by thread: Re: tcp wrapper
Next by thread: Re: tcp wrapper
Index(es):
- Date
- Thread