also sprach Sam Varghese <sam@gnubies.com> [2002.01.10.2323 +0100]: > Why would you want to remove your first line of defence? Do you want the > whole world to have access to the box in question? that doesn't mean allowing access to the whole world! > If a host does not match its IP, your system SHOULD deny it access. i actually disagree. (a) these days, many run their own DNS even though the IP belongs to someone else and is only leased to a "home user". (b) you wouldn't believe how many DNS admins don't grasp reverse resolution, how many have misconfigured it (or not configured it at all), and how many times it just simply fails because of that reason even though it's a legit request. i couldn't ssh into my machines from diamond.madduck.net for a long time simply because the DNS admin was "too loaded with work" to fix the reverse IP... until i removed that line. never had any more hack attempts, never had any successful hacks. it's not really a security measure anymore, i find. feel free to disagree... -- martin; (greetings from the heart of the sun.) \____ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck sprecare tempo e' una parte importante del vivere.
Attachment:
pgpEex29Ih7XV.pgp
Description: PGP signature