To CAIS Engineers - WAKE UP AND TAKE CARE OF YOUR CUSTOMERS

• Previous message (by thread): To CAIS Engineers - WAKE UP AND TAKE CARE OF YOUR CUSTOMERS
• Next message (by thread): To CAIS Engineers - WAKE UP AND TAKE CARE OF YOUR CUSTOMERS
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I didn't intend to imply that matching forward/reverse DNS was a security 
measure I'd trust by itself, but it certainly doesn't hurt to implement as 
a "outer perimeter" measure in conjunction with IP-based rules and 
secure authentication...

-C

On Mon, May 14, 2001 at 10:24:54AM -0700, Adam McKenna wrote:
> 
> On Mon, May 14, 2001 at 11:46:05AM -0400, Christopher A. Woodfield wrote:
> > Reverse DNS by itself is insufficient for authentication, but 
> > enforcing matching forward and reverse DNS entries is much more reliable 
> > (no substitute for secret-based or cert-based authentication, but a good 
> > "front door" for something like tcp wrappers). at last check, tcpd and sshd 
> > can both be configured to block connections without matching forward/reverse 
> > records.
> 
> No.  This is joke security, as is any security that relies on hostnames.  TCP
> wrappers is basically worthless as a security measure unless you are using
> IP-based rules.  And even then, it's deprecated in favor of kernel
> firewalling (In Linux) or ipfilter (on BSD's and other platforms that support 
> it).
> 
> --Adam
> 

-- 
---------------------------
Christopher A. Woodfield		rekoil at semihuman.com

PGP Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB887618B

• Previous message (by thread): To CAIS Engineers - WAKE UP AND TAKE CARE OF YOUR CUSTOMERS
• Next message (by thread): To CAIS Engineers - WAKE UP AND TAKE CARE OF YOUR CUSTOMERS
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]