Home page logo
/

nanog logo nanog mailing list archives

Re: To CAIS Engineers - WAKE UP AND TAKE CARE OF YOUR CUSTOMERS
From: Adam McKenna <adam () flounder net>
Date: Mon, 14 May 2001 10:24:54 -0700


On Mon, May 14, 2001 at 11:46:05AM -0400, Christopher A. Woodfield wrote:
Reverse DNS by itself is insufficient for authentication, but 
enforcing matching forward and reverse DNS entries is much more reliable 
(no substitute for secret-based or cert-based authentication, but a good 
"front door" for something like tcp wrappers). at last check, tcpd and sshd 
can both be configured to block connections without matching forward/reverse 
records.

No.  This is joke security, as is any security that relies on hostnames.  TCP
wrappers is basically worthless as a security measure unless you are using
IP-based rules.  And even then, it's deprecated in favor of kernel
firewalling (In Linux) or ipfilter (on BSD's and other platforms that support 
it).

--Adam


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]