also sprach Marcin Owsiany <porridge@debian.org> [2002.01.11.0058 +0100]:
> > it's not really a security measure anymore, i find. feel free to
> > disagree...
>
> Disabling PARANOID mode only means that you shouldn't trust the logged
> hostnames, because thay may be faked, no?
kinda. it also tries to act against... well, what actually?
i think you need to know exactly what this checks to get a clue...
first, the IP is taken and reverse-resolved to a domain name. then the
domain name is resolved to an IP. if that IP doesn't match, it'll DENY.
now if 1.2.3.4 were to point to mail.madduck.net, but mail.madduck.net
points to 1.2.3.5, then that's obviously a problem, or indication of an
error status, or a hint at a hack/spoof attack... until you realize what
BIND and others do with simply RR load-balancing:
zone IN 3.2.1.in-addr.ARPA:
4 IN PTR mail.madduck.net
5 IN PTR mail.madduck.net
zone IN madduck.net
mail.madduck.net IN A 1.2.3.4
IN A 1.2.3.5
now repeated queries for the A record of mail.madduck.net will return
both IPs alternatingly. now think about why this would cause a problem.
and i think this is too trivial a problem for me to be the first to find
it, so i guess tcp_wrappers/libwrap accounts for this. but i am not
sure, and don't really feel like trying it.
yes, but *what* exactly does ALL:PARANOID prevent? establishing the
authenticity of the domain name is surel a good point, but that's for
finger/who/w and co. only because i don't even want to deal with/know
about a system administrator that parses logs based on domain names
rather than IPs...
--
martin; (greetings from the heart of the sun.)
\____ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck
"driving with a destination
is like having sex to have children"
-- backwater wayne miller
Attachment:
pgp2EHv4a9d4l.pgp
Description: PGP signature