Re: tcp wrapper
--- Daniel Pittman <daniel@rimspace.net> wrote:
> On 27 Oct 2004, Mike Mestnik wrote:
> > --- Daniel Pittman <daniel@rimspace.net> wrote:
> >> On 25 Oct 2004, michal wrote:
> >>> What's the difference between firewall and TCP wrapper?
>
> [...]
>
> >> You can't use iptables to do the DNS reverse lookup stuff that
> >> TCPwrappers can do at connection time, but then, you don't do that if
> >> you want security anyway. :)
> >
> > A special note for the pre ssh days. When telineting into a box it may
> > appere to be unresponice for upto a minuet!
>
> Only if the site you were talking to had broken reverse DNS. Many years
> ago, when telnet was the common way of making these connections, broken
> reverse DNS was the exception rather than the rule, really.
>
> > This is due to a *REVERSE* dns lookup done by the *SERVER*. It's not
> > posible to bypass this by using the IP for your telnet client(it's not
> > the same thing).
>
> True.
>
> > This lookup is a great *tool* for client authentication
>
> No, it isn't. It is a completely useless tool for client
> authentication, as it relies on an insecure tools completely controlled
> by the client connection site.
>
Your correct, but by tool I mean like a rock where a hammer is needed.
> > (provided the connection is not spoofed),
>
> ...or that the attacker has not pushed false information into your local
> DNS server.
>
DNS spoof.
> ...or that the attacker has not simply put false information in their
> reverse DNS entries.
>
This is less likely to happen, now that some DNS and Domain admins are
getting vary picky about these things. Microsoft even has a solution
using deligation of sorts, but that's about all I know about it.
> > for instance you can block all of mpaa.org and microsoft.com from
> > using your inetd started servers. Hmm, maby I'l get gtkg to link with
> > tcpwrapper. :)
>
> Hey, why not remove your firewall entirely, and put a banner on every
> service that asks:
>
When using a rock, it's best to use a sturdy stick and some duck-tape as a
handel.
> Please, mister attacker, would you leave me alone?
>
> That gives you about as much security as trusting reverse DNS data does.
>
Only if you remove your firewall entirely. It's an added mesurment, for
where the usage of DNS is a plus.
>
> Heck, even in the presence of DNSSEC signed data the reverse entries are
> still under the complete control of the attacker. Security? I don't
> think so.
>
Your assuming that every one has access to change there revers DNS. Lets
say you wanted to block all attbb users.
> Daniel
> --
> It has been discovered that C++ provides a remarkable facility for
> concealing
> the trival details of a program -- such as where its bugs are.
> -- David Keppel
>
__________________________________
Do you Yahoo!?
Yahoo! Mail - Helps protect you from nasty viruses.
http://promotions.yahoo.com/new_mail
Reply to: