Is this a tcpwrapper bug?

John Summerfield debian at herakles.homelinux.org
Tue Dec 18 03:55:52 UTC 2007 

Rick Stevens wrote:
> On Mon, 2007-12-17 at 16:52 -0500, Tom Horsley wrote:
>> While trying to make my ssh connection maximally secure,
>> I decided to use the /etc/hosts.allow and /etc/hosts.deny
>> files, and was able to get them working without too much
>> trouble, so now the only external site that can connect to
>> my home system is the address of what is probably my work
>> system's firewall.
>>
>> Here's the bug: The DNS setup for the IP address of the
>> firewall gives it two names, both (examples only)
>> users.example.com and corpvpn.example.com are in the
>> DNS database as the same IP.
> 
> In the forward database, how about the reverse database?  That's
> what's causing the problem.  Undoubtedly when it does the reverse
> DNS lookup of the IP address, it's getting the OTHER hostname.
> This is always a danger of using two "A" records in your DNS
> rather than one "A" record and one "CNAME" record.
> 
>> If I try to use either name (or both names) in the hosts.allow
>> file, I always get rejected with a log message that claims
>> users.example.com != corpvpn.example.com.
>>
>> If I use the IP address in hosts.allow, I still get the message
>> in the log, but I am allowed to connect.
>>
>> Is the tcpwrapper code being too paranoid here? Shouldn't
>> it lookup all the names for the IP and accept any match
>> rather than (appapently) only looking up the 1st name?
> 
> No, the IP could be spoofed.  If the connection that purported to come
> from niceguy.mybuddy.com on 1.2.3.4 actually reverse resolves to
> evilbastards.hackerville.com, do you really want to allow that?  I sure
> as heck don't.

Why do you imagine there's any correspondence? I have several domains 
pointing at my one public IP address, and my public IP address doesn't 
resolve to any of them.

Anyone who hosts websites has the same setup. So does anyone who hosts 
email services for divers organisations.

> 
> iptables rules are only interested in IP addresses...DNS can be faked
> pretty easily.  If the IP address isn't allowed by the rules, end of
> story.  For things such as ssh I don't want people on movable IPs
> getting into my machine anyway.  If anyone wants that kind of access to
> my machines, then they'd better be on a fixed IP so I can audit and
> backtrack the IP if they do evil to me.  I want to be able to hunt their
> *sses down and kill them in those cases.

Ultimately. hosts.{allow,deny} also only use IP addresses. There is 
little difference in that respect between iptables and the hosts files.




-- 

Cheers
John

-- spambait
1aaaaaaa at coco.merseine.nu  Z1aaaaaaa at coco.merseine.nu
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375

You cannot reply off-list:-)

More information about the users mailing list