North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: To CAIS Engineers - WAKE UP AND TAKE CARE OF YOUR CUSTOMERS
I didn't intend to imply that matching forward/reverse DNS was a security measure I'd trust by itself, but it certainly doesn't hurt to implement as a "outer perimeter" measure in conjunction with IP-based rules and secure authentication... -C On Mon, May 14, 2001 at 10:24:54AM -0700, Adam McKenna wrote: > > On Mon, May 14, 2001 at 11:46:05AM -0400, Christopher A. Woodfield wrote: > > Reverse DNS by itself is insufficient for authentication, but > > enforcing matching forward and reverse DNS entries is much more reliable > > (no substitute for secret-based or cert-based authentication, but a good > > "front door" for something like tcp wrappers). at last check, tcpd and sshd > > can both be configured to block connections without matching forward/reverse > > records. > > No. This is joke security, as is any security that relies on hostnames. TCP > wrappers is basically worthless as a security measure unless you are using > IP-based rules. And even then, it's deprecated in favor of kernel > firewalling (In Linux) or ipfilter (on BSD's and other platforms that support > it). > > --Adam > -- --------------------------- Christopher A. Woodfield [email protected] PGP Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB887618B
|