On Mon, 2007-12-17 at 16:52 -0500, Tom Horsley wrote: > While trying to make my ssh connection maximally secure, > I decided to use the /etc/hosts.allow and /etc/hosts.deny > files, and was able to get them working without too much > trouble, so now the only external site that can connect to > my home system is the address of what is probably my work > system's firewall. > > Here's the bug: The DNS setup for the IP address of the > firewall gives it two names, both (examples only) > users.example.com and corpvpn.example.com are in the > DNS database as the same IP. In the forward database, how about the reverse database? That's what's causing the problem. Undoubtedly when it does the reverse DNS lookup of the IP address, it's getting the OTHER hostname. This is always a danger of using two "A" records in your DNS rather than one "A" record and one "CNAME" record. > If I try to use either name (or both names) in the hosts.allow > file, I always get rejected with a log message that claims > users.example.com != corpvpn.example.com. > > If I use the IP address in hosts.allow, I still get the message > in the log, but I am allowed to connect. > > Is the tcpwrapper code being too paranoid here? Shouldn't > it lookup all the names for the IP and accept any match > rather than (appapently) only looking up the 1st name? No, the IP could be spoofed. If the connection that purported to come from niceguy.mybuddy.com on 1.2.3.4 actually reverse resolves to evilbastards.hackerville.com, do you really want to allow that? I sure as heck don't. iptables rules are only interested in IP addresses...DNS can be faked pretty easily. If the IP address isn't allowed by the rules, end of story. For things such as ssh I don't want people on movable IPs getting into my machine anyway. If anyone wants that kind of access to my machines, then they'd better be on a fixed IP so I can audit and backtrack the IP if they do evil to me. I want to be able to hunt their *sses down and kill them in those cases. ---------------------------------------------------------------------- - Rick Stevens, Principal Engineer rstevens@xxxxxxxxxxxx - - CDN Systems, Internap, Inc. http://www.internap.com - - - - Where there's a will, I want to be in it. - ----------------------------------------------------------------------