[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: tcp wrapper

--- Daniel Pittman <daniel@rimspace.net> wrote:

> On 27 Oct 2004, Mike Mestnik wrote:
> > --- Daniel Pittman <daniel@rimspace.net> wrote:
> >> On 25 Oct 2004, michal wrote:
> >>> What's the difference between firewall and TCP wrapper? 
> [...]
> >> You can't use iptables to do the DNS reverse lookup stuff that
> >> TCPwrappers can do at connection time, but then, you don't do that if
> >> you want security anyway. :)
> >
> > A special note for the pre ssh days. When telineting into a box it may
> > appere to be unresponice for upto a minuet!  
> Only if the site you were talking to had broken reverse DNS.  Many years
> ago, when telnet was the common way of making these connections, broken
> reverse DNS was the exception rather than the rule, really.
> > This is due to a *REVERSE* dns lookup done by the *SERVER*. It's not
> > posible to bypass this by using the IP for your telnet client(it's not
> > the same thing).
> True.
> > This lookup is a great *tool* for client authentication
> No, it isn't.  It is a completely useless tool for client
> authentication, as it relies on an insecure tools completely controlled
> by the client connection site.
Your correct, but by tool I mean like a rock where a hammer is needed.

> > (provided the connection is not spoofed), 
> ...or that the attacker has not pushed false information into your local
> DNS server.
DNS spoof.

> ...or that the attacker has not simply put false information in their
> reverse DNS entries.
This is less likely to happen, now that some DNS and Domain admins are
getting vary picky about these things.  Microsoft even has a solution
using deligation of sorts, but that's about all I know about it.

> > for instance you can block all of mpaa.org and microsoft.com from
> > using your inetd started servers. Hmm, maby I'l get gtkg to link with
> > tcpwrapper. :)
> Hey, why not remove your firewall entirely, and put a banner on every
> service that asks:
When using a rock, it's best to use a sturdy stick and some duck-tape as a

>     Please, mister attacker, would you leave me alone?
> That gives you about as much security as trusting reverse DNS data does.
Only if you remove your firewall entirely.  It's an added mesurment, for
where the usage of DNS is a plus.

> Heck, even in the presence of DNSSEC signed data the reverse entries are
> still under the complete control of the attacker.  Security?  I don't
> think so.
Your assuming that every one has access to change there revers DNS.  Lets
say you wanted to block all attbb users. 

>       Daniel
> -- 
> It has been discovered that C++ provides a remarkable facility for
> concealing
> the trival details of a program -- such as where its bugs are.
>         -- David Keppel

Do you Yahoo!?
Yahoo! Mail - Helps protect you from nasty viruses.

Reply to: