Date: Sat, 24 Dec 2005 03:11:30 -0500 From: James Tanis <jtanis@pycoder.org> To: JoaoBR <joao@matik.com.br> Cc: freebsd-stable@freebsd.org Subject: Re: SSH login takes very long time...sometimes Message-ID: <65dcde740512240011y7c9e324esb3ceee331c5992c6@mail.gmail.com> In-Reply-To: <200512232119.58748.joao@matik.com.br> References: <43ABF6E4.2090908@ll.mit.edu> <44irtf3mxr.fsf@be-well.ilk.org> <65dcde740512231426u199dea1aob6c54b89056c7a82@mail.gmail.com> <200512232119.58748.joao@matik.com.br>
index | next in thread | previous in thread | raw e-mail
> you can fake your IP and you can fake your hostname, but exactly for security > reasons, since we believe that beeing a a network admin is not because of > luck but knowledge, and we also believe that this person has a certain > responsibility and so he will probably not set up false dns reverse data. > > so when I check your IP and hostname you send me and when this do not match > the reverse info I get I can suppose you do not have good intentions or you > do not have the knowledge to set your network up. Both cases may not be > welcome on my network and you get kicked out. Like you see here the decision > is the owner's one who can or not enter his home. If you truly believe one can easily fake their IP then a reverse-lookup is even more irrelevant because it doesnt take a genius to choose an ip and hostname that match. From what your saying falsifying the actual reverse-lookup record need not even be considered. I don't pretend to be any kind of hacker or security professional, I have no idea how involved spoofing a valid (not local-only) ip is or if it is indeed possible, but it seems to me that this ability would only make the reverse-lookup less reliable. > > so reverse dns is a absolute valid check - what never was so important as > today since each newborn already knows how to fake IP's > > and when your residential Ip provider do not has a correct reverse DNS get > yourself a more serious one A good many large ips do not assign a reverse lookup as that would also require a hostname. Since most residential users do not need a host name it isn't necessarily standard procedure to give them one. Isp that assign reverse lookup cause an even bigger problem because no one want to name their computers according to their isp, for instance Charter likes to assign hostnames like: xxx-xxx-xxx-xxx.dhcp.xxx.xx.charter.com Which is very basically a hyphen delimited ip followed by an abbreviated city and state. Nothing wrong with the scheme but I don't really care to name my firewall that, I much prefer loki.pycoder.org. This in itself is not a sign of ill intent. Most residential users, whether they are knowledgeable or not will not all make sure to have their computers all reporting the hostname xxx-xxx-xxx-xxx.dhcp.xxx.xx.charter.com yet they have no ill intent. Clearly then reverse dns lookup is only desireable in specific situations where you know exactly where you'll be getting remote connections from and can accomodate if they do not have properly set reverse-lookup entries. > > anyway, you are mixing things up since you do not need a valid reverse dns to > configure your sshd, the server admin can disable this lookup or use the > local host file - or you may like the "clever way" and forget to set or > delete your resolv.conf Exactly the point I was trying to argue. I've been using FreeBSD long enough to know my way around /etc as well as hold my own with BIND.. I was more than able to diagnose/fix the problem. That does not change the fact though that not everyone is able to administer their own dns, not because they do not know how, but because they do not have the right. How does this affect FreeBSD? Not at all, I'd just wish it didn't have to be in the default setup, but I've already lost interest in the subject as its really just an insignificant point that really didn't deserve this long of an email :P. > > Joćo > > > > > > > > A mensagem foi scaneada pelo sistema de e-mail e pode ser considerada segura. > Service fornecido pelo Datacenter Matik https://datacenter.matik.com.br > _______________________________________________ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org" > -- James Tanis jtanis@pycoder.org http://pycoder.orghelp
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?65dcde740512240011y7c9e324esb3ceee331c5992c6>