OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq archives for 4th quarter (Oct-Dec) 1998: Re: tcpd -DPARANOID doesn't work, and never did

Re: tcpd -DPARANOID doesn't work, and never did

D. J. Bernstein (djbCR.YP.TO)
Tue, 10 Nov 1998 23:19:11 -0000

Jim Dennis writes:
> Oddly enough I've never heard Wietse claim that PARANOID provides
> "protection against rlogins and rsh attacks."

Later in your message you blame innocent system administrators for
imagining such a thing. ``Wishful thinking,'' you say. ``Superficial
understanding,'' you say. ``Unreasonable expectations,'' you say.

That's revisionist history.

Wietse Venema, BLURB, log_tcp 2.0, comp.sources.misc volume 20,
announcing the introduction of -DPARANOID:

   Enhancements over the previous release are: protection against rlogin
   and rsh attacks through compromised domain name servers ...

Wietse Venema, BLURB, log_tcp 3.0, comp.sources.misc volume 23:

   Optional features are: access control based on pattern matching, and
   protection against rsh and rlogin attacks from hosts that pretend to
   have someone elses host name.

Those claims do not stand up to scrutiny. The unfortunate reality is
that -DPARANOID provides no security benefits. If a host is vulnerable
_without_ -DPARANOID then it is also vulnerable _with_ -DPARANOID.

Similar comments apply to Venema's recent claims about the security
benefits of a 5-minute min_cache_ttl. If a host is vulnerable _without_
that min_cache_ttl then it is also vulnerable _with_ that min_cache_ttl.

> You *at least* need anti-address
> spoofing at your perimeter/border firewalls/packet filters
> to even *hope* to prevent those attacks over those lines.

Secure TCP/IP LANs predate tcpd. But this is orthogonal to my point.

-DPARANOID provides no security benefits for sites with secure IP,
secure local name service, and fixed rshd.

-DPARANOID provides no security benefits for sites with secure IP,
secure local name service, and unfixed rshd.

-DPARANOID provides no security benefits for sites with secure IP but
insecure local name service.

-DPARANOID provides no security benefits for sites without secure IP.

> Oh!  So anyone one in any of our hosts.allow might
> be able to impersonate any other hosts in our hosts.allow.

-DPARANOID provides no security benefits for sites that use hosts.allow
to restrict connections. tcpd performs double resolution for hosts.allow
whether or not -DPARANOID is set.

-DPARANOID provides no security benefits for sites that don't use
hosts.allow to restrict connections.

> An FAQ is intended to answer *frequent* questions.  Removing
> information from one fails in this basic intent.

You misunderstand. The question here isn't about tcpd. The question is
how to turn on special services for selected IP addresses.

There are two answers. One uses tcpd. This has the advantage of being
installed already on many systems. However, thanks to -DPARANOID, it has
been a support nightmare.

The second answer uses a different access-control mechanism. This has
the advantage of actually working.

I could make the tcpd answer work by explaining how to download tcpd,
disable -DPARANOID, and install. However, this is more complicated than
the second answer.

---Dan
1000 recipients, 28.8 modem, 10 seconds. http://pobox.com/~djb/qmail/mini.html