Jim Dennis writes: > Oddly enough I've never heard Wietse claim that PARANOID provides > "protection against rlogins and rsh attacks." Later in your message you blame innocent system administrators for imagining such a thing. ``Wishful thinking,'' you say. ``Superficial understanding,'' you say. ``Unreasonable expectations,'' you say. That's revisionist history. Wietse Venema, BLURB, log_tcp 2.0, comp.sources.misc volume 20, announcing the introduction of -DPARANOID: Enhancements over the previous release are: protection against rlogin and rsh attacks through compromised domain name servers ... Wietse Venema, BLURB, log_tcp 3.0, comp.sources.misc volume 23: Optional features are: access control based on pattern matching, and protection against rsh and rlogin attacks from hosts that pretend to have someone elses host name. Those claims do not stand up to scrutiny. The unfortunate reality is that -DPARANOID provides no security benefits. If a host is vulnerable _without_ -DPARANOID then it is also vulnerable _with_ -DPARANOID. Similar comments apply to Venema's recent claims about the security benefits of a 5-minute min_cache_ttl. If a host is vulnerable _without_ that min_cache_ttl then it is also vulnerable _with_ that min_cache_ttl. > You *at least* need anti-address > spoofing at your perimeter/border firewalls/packet filters > to even *hope* to prevent those attacks over those lines. Secure TCP/IP LANs predate tcpd. But this is orthogonal to my point. -DPARANOID provides no security benefits for sites with secure IP, secure local name service, and fixed rshd. -DPARANOID provides no security benefits for sites with secure IP, secure local name service, and unfixed rshd. -DPARANOID provides no security benefits for sites with secure IP but insecure local name service. -DPARANOID provides no security benefits for sites without secure IP. > Oh! So anyone one in any of our hosts.allow might > be able to impersonate any other hosts in our hosts.allow. -DPARANOID provides no security benefits for sites that use hosts.allow to restrict connections. tcpd performs double resolution for hosts.allow whether or not -DPARANOID is set. -DPARANOID provides no security benefits for sites that don't use hosts.allow to restrict connections. > An FAQ is intended to answer *frequent* questions. Removing > information from one fails in this basic intent. You misunderstand. The question here isn't about tcpd. The question is how to turn on special services for selected IP addresses. There are two answers. One uses tcpd. This has the advantage of being installed already on many systems. However, thanks to -DPARANOID, it has been a support nightmare. The second answer uses a different access-control mechanism. This has the advantage of actually working. I could make the tcpd answer work by explaining how to download tcpd, disable -DPARANOID, and install. However, this is more complicated than the second answer. ---Dan 1000 recipients, 28.8 modem, 10 seconds. http://pobox.com/~djb/qmail/mini.html
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:22:47 PDT