Re: Is this a tcpwrapper bug?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 2007-12-17 at 16:52 -0500, Tom Horsley wrote:
> While trying to make my ssh connection maximally secure,
> I decided to use the /etc/hosts.allow and /etc/hosts.deny
> files, and was able to get them working without too much
> trouble, so now the only external site that can connect to
> my home system is the address of what is probably my work
> system's firewall.
> 
> Here's the bug: The DNS setup for the IP address of the
> firewall gives it two names, both (examples only)
> users.example.com and corpvpn.example.com are in the
> DNS database as the same IP.

In the forward database, how about the reverse database?  That's
what's causing the problem.  Undoubtedly when it does the reverse
DNS lookup of the IP address, it's getting the OTHER hostname.
This is always a danger of using two "A" records in your DNS
rather than one "A" record and one "CNAME" record.

> If I try to use either name (or both names) in the hosts.allow
> file, I always get rejected with a log message that claims
> users.example.com != corpvpn.example.com.
> 
> If I use the IP address in hosts.allow, I still get the message
> in the log, but I am allowed to connect.
> 
> Is the tcpwrapper code being too paranoid here? Shouldn't
> it lookup all the names for the IP and accept any match
> rather than (appapently) only looking up the 1st name?

No, the IP could be spoofed.  If the connection that purported to come
from niceguy.mybuddy.com on 1.2.3.4 actually reverse resolves to
evilbastards.hackerville.com, do you really want to allow that?  I sure
as heck don't.

iptables rules are only interested in IP addresses...DNS can be faked
pretty easily.  If the IP address isn't allowed by the rules, end of
story.  For things such as ssh I don't want people on movable IPs
getting into my machine anyway.  If anyone wants that kind of access to
my machines, then they'd better be on a fixed IP so I can audit and
backtrack the IP if they do evil to me.  I want to be able to hunt their
*sses down and kill them in those cases.

----------------------------------------------------------------------
- Rick Stevens, Principal Engineer             rstevens@xxxxxxxxxxxx -
- CDN Systems, Internap, Inc.                http://www.internap.com -
-                                                                    -
-              Where there's a will, I want to be in it.             -
----------------------------------------------------------------------


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux