From owner-freebsd-security  Thu Nov 18 10:48:20 1999
Delivered-To: freebsd-security@freebsd.org
Received: from eastwood.aldigital.algroup.co.uk (eastwood.aldigital.algroup.co.uk [194.128.162.193])
	by hub.freebsd.org (Postfix) with ESMTP id 3B52B154BF
	for <freebsd-security@FreeBSD.ORG>; Thu, 18 Nov 1999 10:47:53 -0800 (PST)
	(envelope-from adam@algroup.co.uk)
Received: from algroup.co.uk ([193.195.56.225]) by eastwood.aldigital.algroup.co.uk (8.8.8/8.6.12) with ESMTP id SAA18290; Thu, 18 Nov 1999 18:45:38 GMT
Message-ID: <38344951.2E63C525@algroup.co.uk>
Date: Thu, 18 Nov 1999 18:45:37 +0000
From: Adam Laurie <adam@algroup.co.uk>
Organization: A.L. Group plc
X-Mailer: Mozilla 4.07 [en] (Win95; I)
MIME-Version: 1.0
To: "Mr. K." <bsd@a.servers.aozilla.com>
Cc: Dag-Erling Smorgrav <des@flood.ping.uio.no>,
	David G Andersen <danderse@cs.utah.edu>, freebsd-security@FreeBSD.ORG
Subject: Re: localhost.org
References: <Pine.BSF.3.96.991118111140.1561A-100000@inbox.org>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Mr. K. wrote:
> 
> > You should have an entry for localhost in the inbox.org zone file:
> >
> > localhost               IN      A       127.0.0.1
> >
> yep, I already had this but it was ignoring this.  in fact,
> localhost.inbox.org would give me 127.0.0.1, localhost. would give me
> 127.0.0.1, but localhost would give me a.b.c.d.  Turns out that one part
> domains automatically try the search first.
> 
> > and you should consider setting your search path explicitly in
> > /etc/resolv.conf.
> This solved the problem.
> 
> > Alternatively, put 'hosts' before 'bind' in /etc/host.conf and make
> > sure /etc/hosts contains an entry for localhost. You can use
> > /etc/hosts to override other stuff, too; e.g. make ad.doubleclick.net
> > point to a dummy httpd that returns 404 no matter what URL you
> > request.
> >
> This seems like a good idea in any case, as it will defeat a hacker who
> manages to comprimise your nameserver.  At least for those listings
> included in /etc/hosts.

Unfortunately this is not all you need to do to protect yourself - the
default permissions table in MySQL will also include your fully
qualified domain name. An attacker who controls their own reverse
resolution can set themselves up to reverse to your box name, and MySQL
will let them in (unless you are running it in 'secure' mode, in which
case it checks that forward and reverse actually match). Since local
connections actually appear to come from 'localhost' and not your fully
qualified domain, you can safely delete the fully qualified entries from
your MySQL user table. You should also move the TCP port onto a
firewalled port if you don't need external access, and to a unix domain
socket if you don't need TCP access. Finally, if they got in as a user
with File_priv level access, they probably own you by now.

cheers,
Adam
--
Adam Laurie                   Tel: +44 (181) 742 0755
A.L. Digital Ltd.             Fax: +44 (181) 742 5995
Voysey House                  
Barley Mow Passage            http://www.aldigital.co.uk
London W4 4GB                 mailto:adam@algroup.co.uk
UNITED KINGDOM                PGP key on keyservers


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message