Re: Is this a tcpwrapper bug?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Mon, 2007-12-17 at 16:52 -0500, Tom Horsley wrote:
> While trying to make my ssh connection maximally secure,
> I decided to use the /etc/hosts.allow and /etc/hosts.deny
> files, and was able to get them working without too much
> trouble, so now the only external site that can connect to
> my home system is the address of what is probably my work
> system's firewall.
> 
> Here's the bug: The DNS setup for the IP address of the
> firewall gives it two names, both (examples only)
> users.example.com and corpvpn.example.com are in the
> DNS database as the same IP.

In the forward database, how about the reverse database?  That's
what's causing the problem.  Undoubtedly when it does the reverse
DNS lookup of the IP address, it's getting the OTHER hostname.
This is always a danger of using two "A" records in your DNS
rather than one "A" record and one "CNAME" record.

> If I try to use either name (or both names) in the hosts.allow
> file, I always get rejected with a log message that claims
> users.example.com != corpvpn.example.com.
> 
> If I use the IP address in hosts.allow, I still get the message
> in the log, but I am allowed to connect.
> 
> Is the tcpwrapper code being too paranoid here? Shouldn't
> it lookup all the names for the IP and accept any match
> rather than (appapently) only looking up the 1st name?

No, the IP could be spoofed.  If the connection that purported to come
from niceguy.mybuddy.com on 1.2.3.4 actually reverse resolves to
evilbastards.hackerville.com, do you really want to allow that?  I sure
as heck don't.

iptables rules are only interested in IP addresses...DNS can be faked
pretty easily.  If the IP address isn't allowed by the rules, end of
story.  For things such as ssh I don't want people on movable IPs
getting into my machine anyway.  If anyone wants that kind of access to
my machines, then they'd better be on a fixed IP so I can audit and
backtrack the IP if they do evil to me.  I want to be able to hunt their
*sses down and kill them in those cases.

----------------------------------------------------------------------
- Rick Stevens, Principal Engineer             rstevens@xxxxxxxxxxxx -
- CDN Systems, Internap, Inc.                http://www.internap.com -
-                                                                    -
-              Where there's a will, I want to be in it.             -
----------------------------------------------------------------------

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux