[8484] in bugtraq
Re: tcpd -DPARANOID doesn't work, and never did
daemon@ATHENA.MIT.EDU (Wietse Venema)
Tue Nov 10 16:14:22 1998
Date: Tue, 10 Nov 1998 00:18:50 -0500
Reply-To: Wietse Venema <wietse@PORCUPINE.ORG>
From: Wietse Venema <wietse@PORCUPINE.ORG>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <19981110010714.8866.qmail@cr.yp.to> from "D. J. Bernstein" at
"Nov 10, 98 01:07:14 am"
D. J. Bernstein:
> The subject line is correct exactly as stated. -DPARANOID does not
> improve your computer's security. It has never improved anybody's
> computer security.
Confronted with evidence that widely-used BIND and NIS software
wasn't vulnerable to a short TTL attack described in an earlier
post, Bernstein presents a marginally different attack.
This game could go on for a long time, but that would be a waste
of everyone's time. The TCP Wrapper documentation is very explicit
about the limitations of unauthenticated IP/DNS.
One can fix rshd/rlogind against some IP/DNS-based attacks, but
until IP/DNS with strong authentication are widely deployed, the
security of such services will low, even when TCP Wrapped.
> You've done enough damage. Admit your mistake and turn off -DPARANOID.
I have resisted pressure to change this default for 7+ years. Now
that people use tcpd access control for email, I'm reconsidering
that decision - your friendly request notwithstanding.
Wietse
