|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: tcpd -DPARANOID doesn't work, and never did
Wietse Venema (wietse
PORCUPINE.ORG)Tue, 10 Nov 1998 00:18:50 -0500
- Messages sorted by: [ date ][ thread ][ subject ][ author ]
- Next message: Randal Schwartz: "Re: Several new CGI vulnerabilities"
- Previous message: Darren Rogers: "Re: FoolProof for PC Exploit"
- In reply to: D. J. Bernstein: "Re: tcpd -DPARANOID doesn't work, and never did"
- Next in thread: Greg A. Woods: "Re: tcpd -DPARANOID doesn't work, and never did"
D. J. Bernstein:
> The subject line is correct exactly as stated. -DPARANOID does not
> improve your computer's security. It has never improved anybody's
> computer security.
Confronted with evidence that widely-used BIND and NIS software
wasn't vulnerable to a short TTL attack described in an earlier
post, Bernstein presents a marginally different attack.
This game could go on for a long time, but that would be a waste
of everyone's time. The TCP Wrapper documentation is very explicit
about the limitations of unauthenticated IP/DNS.
One can fix rshd/rlogind against some IP/DNS-based attacks, but
until IP/DNS with strong authentication are widely deployed, the
security of such services will low, even when TCP Wrapped.
> You've done enough damage. Admit your mistake and turn off -DPARANOID.
I have resisted pressure to change this default for 7+ years. Now
that people use tcpd access control for email, I'm reconsidering
that decision - your friendly request notwithstanding.
Wietse
- Next message: Randal Schwartz: "Re: Several new CGI vulnerabilities"
- Previous message: Darren Rogers: "Re: FoolProof for PC Exploit"
- In reply to: D. J. Bernstein: "Re: tcpd -DPARANOID doesn't work, and never did"
- Next in thread: Greg A. Woods: "Re: tcpd -DPARANOID doesn't work, and never did"