On Sat, Jan 12, 2002 at 11:31:51AM +0100, Christian Kurz wrote:
[ snip ]
> > Everything that is possible is not necessarily a good idea.
>
> So far I agree with you.
>
> > However, I must admit I was talking from memory; I'm travelling at the
> > moment and don't have time to read the RFCs, but I
On Sat, Jan 12, 2002 at 11:31:51AM +0100, Christian Kurz wrote:
[ snip ]
> > Everything that is possible is not necessarily a good idea.
>
> So far I agree with you.
>
> > However, I must admit I was talking from memory; I'm travelling at the
> > moment and don't have time to read the RFCs, but
On 11/01/02, Nathan E Norman wrote:
> On Fri, Jan 11, 2002 at 11:52:15AM +0100, Christian Kurz wrote:
> > On 10/01/02, Nathan E Norman wrote:
> > > On Fri, Jan 11, 2002 at 01:29:08AM +0100, martin f krafft wrote:
> > > > first, the IP is taken and reverse-resolved to a domain name. then the
> > > >
On 11/01/02, Nathan E Norman wrote:
> On Fri, Jan 11, 2002 at 11:52:15AM +0100, Christian Kurz wrote:
> > On 10/01/02, Nathan E Norman wrote:
> > > On Fri, Jan 11, 2002 at 01:29:08AM +0100, martin f krafft wrote:
> > > > first, the IP is taken and reverse-resolved to a domain name. then the
> > >
On Fri, Jan 11, 2002 at 03:47:27PM +0100, martin f krafft wrote:
[ martin didn't write this, chris wagner did ]
> > Come on... there are only 4 ip numbers in a /30!!! The only
> > conceivable use for a /30 is as a point-to-point. /29 maybe for cable
> > modem LANs...
/30s are also used when a
On Fri, Jan 11, 2002 at 11:52:15AM +0100, Christian Kurz wrote:
> On 10/01/02, Nathan E Norman wrote:
> > On Fri, Jan 11, 2002 at 01:29:08AM +0100, martin f krafft wrote:
> > > first, the IP is taken and reverse-resolved to a domain name. then the
> > > domain name is resolved to an IP. if that IP
On Fri, Jan 11, 2002 at 03:47:27PM +0100, martin f krafft wrote:
[ martin didn't write this, chris wagner did ]
> > Come on... there are only 4 ip numbers in a /30!!! The only
> > conceivable use for a /30 is as a point-to-point. /29 maybe for cable
> > modem LANs...
/30s are also used when a
On Fri, Jan 11, 2002 at 11:52:15AM +0100, Christian Kurz wrote:
> On 10/01/02, Nathan E Norman wrote:
> > On Fri, Jan 11, 2002 at 01:29:08AM +0100, martin f krafft wrote:
> > > first, the IP is taken and reverse-resolved to a domain name. then the
> > > domain name is resolved to an IP. if that IP
also sprach Christian Kurz <[EMAIL PROTECTED]> [2002.01.11.1152 +0100]:
> Pardon? Would you please cite that paragraph of the RfCs that states
> that "every PTR entry should resolve to a _unique_ name"? The last time
> I read in the RfC and in another book about DNS both didn't mention
> that. And
also sprach Chris Wagner <[EMAIL PROTECTED]> [2002.01.11.0616 +0100]:
> >okay, why libwrap then?
>
> Once the network is compromised, it makes no difference what's on the box.
> If done properly, the compromised network is indistinguishable from the
> uncompromised network. That box is totally on
also sprach Christian Kurz <[EMAIL PROTECTED]> [2002.01.11.1152 +0100]:
> Pardon? Would you please cite that paragraph of the RfCs that states
> that "every PTR entry should resolve to a _unique_ name"? The last time
> I read in the RfC and in another book about DNS both didn't mention
> that. And
also sprach Chris Wagner <[EMAIL PROTECTED]> [2002.01.11.0616 +0100]:
> >okay, why libwrap then?
>
> Once the network is compromised, it makes no difference what's on the box.
> If done properly, the compromised network is indistinguishable from the
> uncompromised network. That box is totally o
On 10/01/02, Nathan E Norman wrote:
> On Fri, Jan 11, 2002 at 01:29:08AM +0100, martin f krafft wrote:
> > first, the IP is taken and reverse-resolved to a domain name. then the
> > domain name is resolved to an IP. if that IP doesn't match, it'll DENY.
> > now if 1.2.3.4 were to point to mail.mad
On 10/01/02, Nathan E Norman wrote:
> On Fri, Jan 11, 2002 at 01:29:08AM +0100, martin f krafft wrote:
> > first, the IP is taken and reverse-resolved to a domain name. then the
> > domain name is resolved to an IP. if that IP doesn't match, it'll DENY.
> > now if 1.2.3.4 were to point to mail.ma
At 06:01 AM 1/11/02 +0100, martin f krafft wrote:
>okay, why libwrap then?
Once the network is compromised, it makes no difference what's on the box.
If done properly, the compromised network is indistinguishable from the
uncompromised network. That box is totally on it's own. :)
>/29, although
also sprach Chris Wagner <[EMAIL PROTECTED]> [2002.01.11.0541 +0100]:
> This is sort of the function of canonical names. "Other" names for the IP
> besides the absolute name (or Loopback name in our parlance). But CNAME's
> are deprecated for other reasons. I personally never had any problems us
also sprach Chris Wagner <[EMAIL PROTECTED]> [2002.01.11.0556 +0100]:
> >a bogus IP won't even make it past OSI layer 4 on debian...
> >rp_filter...
>
> There are ways of doing it such that the box has NO WAY of knowing
> that the traffic is spoofed. Granted, that is hard to do. Even
> paranoid
At 04:22 AM 1/11/02 +0100, martin f krafft wrote:
>a bogus IP won't even make it past OSI layer 4 on debian... rp_filter...
There are ways of doing it such that the box has NO WAY of knowing that the
traffic is spoofed. Granted, that is hard to do. Even paranoid lookups can
be overcome. But it'
At 10:01 PM 1/10/02 -0600, Nathan E Norman wrote:
>Congratulations ... you just set up your DNS incorrectly. Every PTR
>entry should resolve to a _unique_ name, and that name should resolve
>to a _unique_ IP. That doesn't mean you can't have additional A
>records doing load balancing.
To give a
also sprach Nathan E Norman <[EMAIL PROTECTED]> [2002.01.11.0501 +0100]:
> Congratulations ... you just set up your DNS incorrectly. Every PTR
> entry should resolve to a _unique_ name, and that name should resolve
> to a _unique_ IP. That doesn't mean you can't have additional A
> records doing
On Fri, Jan 11, 2002 at 01:29:08AM +0100, martin f krafft wrote:
> i think you need to know exactly what this checks to get a clue...
>
> first, the IP is taken and reverse-resolved to a domain name. then the
> domain name is resolved to an IP. if that IP doesn't match, it'll DENY.
>
> now if 1.2
also sprach Chris Wagner <[EMAIL PROTECTED]> [2002.01.11.0205 +0100]:
> Well, the rationale behind this is as you touched on, preventing
> spoofed address attacks. A paranoid lookup essentially verifies that
> the connecting system is a known legit host. In effect you're using
> your DNS system a
At 06:01 AM 1/11/02 +0100, martin f krafft wrote:
>okay, why libwrap then?
Once the network is compromised, it makes no difference what's on the box.
If done properly, the compromised network is indistinguishable from the
uncompromised network. That box is totally on it's own. :)
>/29, althoug
also sprach Chris Wagner <[EMAIL PROTECTED]> [2002.01.11.0541 +0100]:
> This is sort of the function of canonical names. "Other" names for the IP
> besides the absolute name (or Loopback name in our parlance). But CNAME's
> are deprecated for other reasons. I personally never had any problems u
also sprach Chris Wagner <[EMAIL PROTECTED]> [2002.01.11.0556 +0100]:
> >a bogus IP won't even make it past OSI layer 4 on debian...
> >rp_filter...
>
> There are ways of doing it such that the box has NO WAY of knowing
> that the traffic is spoofed. Granted, that is hard to do. Even
> paranoid
At 04:22 AM 1/11/02 +0100, martin f krafft wrote:
>a bogus IP won't even make it past OSI layer 4 on debian... rp_filter...
There are ways of doing it such that the box has NO WAY of knowing that the
traffic is spoofed. Granted, that is hard to do. Even paranoid lookups can
be overcome. But it
At 10:01 PM 1/10/02 -0600, Nathan E Norman wrote:
>Congratulations ... you just set up your DNS incorrectly. Every PTR
>entry should resolve to a _unique_ name, and that name should resolve
>to a _unique_ IP. That doesn't mean you can't have additional A
>records doing load balancing.
To give
also sprach Nathan E Norman <[EMAIL PROTECTED]> [2002.01.11.0501 +0100]:
> Congratulations ... you just set up your DNS incorrectly. Every PTR
> entry should resolve to a _unique_ name, and that name should resolve
> to a _unique_ IP. That doesn't mean you can't have additional A
> records doing
On Fri, Jan 11, 2002 at 01:29:08AM +0100, martin f krafft wrote:
> i think you need to know exactly what this checks to get a clue...
>
> first, the IP is taken and reverse-resolved to a domain name. then the
> domain name is resolved to an IP. if that IP doesn't match, it'll DENY.
>
> now if 1.
also sprach Chris Wagner <[EMAIL PROTECTED]> [2002.01.11.0205 +0100]:
> Well, the rationale behind this is as you touched on, preventing
> spoofed address attacks. A paranoid lookup essentially verifies that
> the connecting system is a known legit host. In effect you're using
> your DNS system
Well, the rationale behind this is as you touched on, preventing spoofed
address attacks. A paranoid lookup essentially verifies that the connecting
system is a known legit host. In effect you're using your DNS system as
another level of authentication. Say somebody wants to covertly log on or
a
also sprach Marcin Owsiany <[EMAIL PROTECTED]> [2002.01.11.0058 +0100]:
> > it's not really a security measure anymore, i find. feel free to
> > disagree...
>
> Disabling PARANOID mode only means that you shouldn't trust the logged
> hostnames, because thay may be faked, no?
kinda. it also tries
also sprach Sam Varghese <[EMAIL PROTECTED]> [2002.01.11.0053 +0100]:
> i can only speak from my limited experience. i have found these measures
> to work, therefore i practice them. of course, one would agree to
> disagree.
i don't want to come across as the wannabe-guru, but what exactly do you
On Fri, Jan 11, 2002 at 12:11:13AM +0100, martin f krafft wrote:
> it's not really a security measure anymore, i find. feel free to
> disagree...
Disabling PARANOID mode only means that you shouldn't trust the logged
hostnames, because thay may be faked, no?
Marcin
--
Marcin Owsiany <[EMAIL PROT
On Fri, Jan 11, 2002 at 12:11:13AM +0100, martin f krafft wrote:
> > If a host does not match its IP, your system SHOULD deny it access.
>
> i actually disagree. (a) these days, many run their own DNS even though
> the IP belongs to someone else and is only leased to a "home user". (b)
> you would
also sprach Sam Varghese <[EMAIL PROTECTED]> [2002.01.10.2323 +0100]:
> Why would you want to remove your first line of defence? Do you want the
> whole world to have access to the box in question?
that doesn't mean allowing access to the whole world!
> If a host does not match its IP, your syste
Well, the rationale behind this is as you touched on, preventing spoofed
address attacks. A paranoid lookup essentially verifies that the connecting
system is a known legit host. In effect you're using your DNS system as
another level of authentication. Say somebody wants to covertly log on or
also sprach Marcin Owsiany <[EMAIL PROTECTED]> [2002.01.11.0058 +0100]:
> > it's not really a security measure anymore, i find. feel free to
> > disagree...
>
> Disabling PARANOID mode only means that you shouldn't trust the logged
> hostnames, because thay may be faked, no?
kinda. it also tries
also sprach Sam Varghese <[EMAIL PROTECTED]> [2002.01.11.0053 +0100]:
> i can only speak from my limited experience. i have found these measures
> to work, therefore i practice them. of course, one would agree to
> disagree.
i don't want to come across as the wannabe-guru, but what exactly do yo
On Thu, Jan 10, 2002 at 03:41:37PM +0100, Davi Leal wrote:
> Is It safe to delete the ALL:PARANOID line in /etc/hosts.deny to avoid the
> below messages in /var/log/syslog?
>
> Jan 22 12:13:46 excalibur xinetd[254]: warning: /etc/hosts.deny, line 15:
> can't verify hostname: gethostbyname(geicamds
On Fri, Jan 11, 2002 at 12:11:13AM +0100, martin f krafft wrote:
> it's not really a security measure anymore, i find. feel free to
> disagree...
Disabling PARANOID mode only means that you shouldn't trust the logged
hostnames, because thay may be faked, no?
Marcin
--
Marcin Owsiany <[EMAIL PRO
On Fri, Jan 11, 2002 at 12:11:13AM +0100, martin f krafft wrote:
> > If a host does not match its IP, your system SHOULD deny it access.
>
> i actually disagree. (a) these days, many run their own DNS even though
> the IP belongs to someone else and is only leased to a "home user". (b)
> you woul
also sprach Sam Varghese <[EMAIL PROTECTED]> [2002.01.10.2323 +0100]:
> Why would you want to remove your first line of defence? Do you want the
> whole world to have access to the box in question?
that doesn't mean allowing access to the whole world!
> If a host does not match its IP, your syst
On Thu, Jan 10, 2002 at 03:41:37PM +0100, Davi Leal wrote:
> Is It safe to delete the ALL:PARANOID line in /etc/hosts.deny to avoid the
> below messages in /var/log/syslog?
>
> Jan 22 12:13:46 excalibur xinetd[254]: warning: /etc/hosts.deny, line 15:
> can't verify hostname: gethostbyname(geicamd
We are an ISP (Internet Service Provider) and we use Debian GNU/Linux 2.2r3
(potato) as mail and DNS server:
sendmail8.9.3-23
qpopper2.53-5
bind8.2.3
Is It safe to delete the ALL:PARANOID line in /etc/hosts.deny to avoid the
below messages in /var/log/syslog?
Jan 22 12:13
We are an ISP (Internet Service Provider) and we use Debian GNU/Linux 2.2r3
(potato) as mail and DNS server:
sendmail8.9.3-23
qpopper2.53-5
bind8.2.3
Is It safe to delete the ALL:PARANOID line in /etc/hosts.deny to avoid the
below messages in /var/log/syslog?
Jan 22 12:1
46 matches
Mail list logo
