Rick Stevens wrote:
On Mon, 2007-12-17 at 16:52 -0500, Tom Horsley wrote:
While trying to make my ssh connection maximally secure,
I decided to use the /etc/hosts.allow and /etc/hosts.deny
files, and was able to get them working without too much
trouble, so now the only external site that can connect to
my home system is the address of what is probably my work
system's firewall.
Here's the bug: The DNS setup for the IP address of the
firewall gives it two names, both (examples only)
users.example.com and corpvpn.example.com are in the
DNS database as the same IP.
In the forward database, how about the reverse database? That's
what's causing the problem. Undoubtedly when it does the reverse
DNS lookup of the IP address, it's getting the OTHER hostname.
This is always a danger of using two "A" records in your DNS
rather than one "A" record and one "CNAME" record.
If I try to use either name (or both names) in the hosts.allow
file, I always get rejected with a log message that claims
users.example.com != corpvpn.example.com.
If I use the IP address in hosts.allow, I still get the message
in the log, but I am allowed to connect.
Is the tcpwrapper code being too paranoid here? Shouldn't
it lookup all the names for the IP and accept any match
rather than (appapently) only looking up the 1st name?
No, the IP could be spoofed. If the connection that purported to come
from niceguy.mybuddy.com on 1.2.3.4 actually reverse resolves to
evilbastards.hackerville.com, do you really want to allow that? I sure
as heck don't.
Why do you imagine there's any correspondence? I have several domains
pointing at my one public IP address, and my public IP address doesn't
resolve to any of them.
Anyone who hosts websites has the same setup. So does anyone who hosts
email services for divers organisations.
iptables rules are only interested in IP addresses...DNS can be faked
pretty easily. If the IP address isn't allowed by the rules, end of
story. For things such as ssh I don't want people on movable IPs
getting into my machine anyway. If anyone wants that kind of access to
my machines, then they'd better be on a fixed IP so I can audit and
backtrack the IP if they do evil to me. I want to be able to hunt their
*sses down and kill them in those cases.
Ultimately. hosts.{allow,deny} also only use IP addresses. There is
little difference in that respect between iptables and the hosts files.
--
Cheers
John
-- spambait
1aaaaaaa@xxxxxxxxxxxxxxxx Z1aaaaaaa@xxxxxxxxxxxxxxxx
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375
You cannot reply off-list:-)
