Date: Thu, 13 Dec 2001 11:29:34 +0000 From: Rasputin <rasputin@submonkey.net> To: security@freebsd.org Subject: Re: hosts.allow Message-ID: <20011213112934.A26770@shikima.mine.nu> In-Reply-To: <20011212194617.1333e91f.kzaraska@student.uci.agh.edu.pl>; from kzaraska@student.uci.agh.edu.pl on Wed, Dec 12, 2001 at 07:46:17PM %2B0100 References: <20011212182706.A21749@shikima.mine.nu> <20011212194617.1333e91f.kzaraska@student.uci.agh.edu.pl>
next in thread | previous in thread | raw e-mail | index | archive | help
* Krzysztof Zaraska <kzaraska@student.uci.agh.edu.pl> [011212 18:50]: > On Wed, 12 Dec 2001 18:27:06 +0000 Rasputin wrote: > > > > > > > I just noticed I have a hosts.allow that is set up to all kinds of > > wierd examples: > > > > > > # hosts.allow access control file for "tcp wrapped" applications. > > # $FreeBSD: src/etc/hosts.allow,v 1.8.2.5 2001/08/30 16:02:37 dwmalone > Exp $ > > > > Should/is this enabled by default? > At least my "stock" version [v 1.8.2.3 2000/07/20 15:17:44] had this near > the top: > > # Start by allowing everything (this prevents the rest of the file > # from working, so remove it when you need protection). > # The rules here work on a "First match wins" basis. > ALL : ALL : allow > > So the examples don't matter. But this default setup is insecure anyhow. My objection was really that it's been installed by default, is presumably active, and has lines such as: ftpd : .nice.guy.example.com : allow ftpd : .evil.cracker.example.com : deny ftpd : ALL : allow in it. If they were commented out, fair enough. We've also got uncommented lines regarding the portmapper and other services - I know the Ips are private, but who's to say what lives on those Ips on my network? I only knew this file existed because of a warning in messages yesterday. The CVS header suggests it's been there since at least August, but I'm not sure it's a good thing to have in by default. The default allow is fair enough, I suppose, since it preserves POLA, but I'd question explicit allow/deny lines unless they're commented out. -- In English, every word can be verbed. Would that it were so in our programming languages. Rasputin :: Jack of All Trades - Master of Nuns :: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011213112934.A26770>