Re: opened OpenSSL port

To: debian-user@lists.debian.org
Subject: Re: opened OpenSSL port
From: Chris Davies <chris-usenet@roaima.co.uk>
Date: Sat, 05 Mar 2011 22:35:37 +0000
Message-id: <[🔎] peqa48xv1m.ln2@news.roaima.co.uk>
Reply-to: chris@roaima.co.uk
References: <12e6686ab0d.-3940210638885655683.1742945720519014412@zoho.com> <[🔎] 1ts148x6l9.ln2@news.roaima.co.uk> <[🔎] 4D722F27.30507@plouf.fr.eu.org>

> Chris Davies a écrit :
>> /etc/hosts.allow could provide a level of protection for names matching,
>> e.g. "*.dyndns.org".

Pascal Hambourg <pascal.mail@plouf.fr.eu.org> wrote:
> This won't work, because usually the reverse DNS is not in *.dyndns.org.
> somename.dyndns.org -> IP address -> some other name defined by the ISP.

Interesting, that one. I don't use hosts.allow myself - but it's
frequently recommended by others. It's not at all clear (to me) from
the man page that the canonical name must be provided in hosts.allow,
but empirically it appears that this indeed is the case.

Arguably, this is less than optimal from a user-centric
perspective. (Consider a host with multiple A records, perhaps a
well-connected web server running a number of vHosts. It seems to me
that it would make more sense to do a forward DNS lookup on a name
(where possible) and match the resulting set of addresses against the
incoming IP. Ineffective on domain matching, but surely useful for
host-based matching?)

Chris

Reply to:

References:
- Re: opened OpenSSL port
  - From: Chris Davies <chris-usenet@roaima.co.uk>
- Re: opened OpenSSL port
  - From: Pascal Hambourg <pascal.mail@plouf.fr.eu.org>

Prev by Date: Re: How to disconnect/initialise a built in modem?
Next by Date: repository 'debports' help needed
Previous by thread: Re: opened OpenSSL port
Next by thread: Re: Intermittent internet since upgrading to squeeze
Index(es):
- Date
- Thread