From owner-freebsd-security Thu Dec 13 3:27:25 2001 Delivered-To: freebsd-security@freebsd.org Received: from shikima.mine.nu (pc1-card4-0-cust77.cdf.cable.ntl.com [62.252.49.77]) by hub.freebsd.org (Postfix) with ESMTP id AB34637B419 for ; Thu, 13 Dec 2001 03:27:20 -0800 (PST) Received: from rasputin by shikima.mine.nu with local (Exim 3.33 #1) id 16EU3S-0006yx-00 for security@freebsd.org; Thu, 13 Dec 2001 11:29:34 +0000 Date: Thu, 13 Dec 2001 11:29:34 +0000 From: Rasputin To: security@freebsd.org Subject: Re: hosts.allow Message-ID: <20011213112934.A26770@shikima.mine.nu> Reply-To: Rasputin References: <20011212182706.A21749@shikima.mine.nu> <20011212194617.1333e91f.kzaraska@student.uci.agh.edu.pl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20011212194617.1333e91f.kzaraska@student.uci.agh.edu.pl>; from kzaraska@student.uci.agh.edu.pl on Wed, Dec 12, 2001 at 07:46:17PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org * Krzysztof Zaraska [011212 18:50]: > On Wed, 12 Dec 2001 18:27:06 +0000 Rasputin wrote: > > > > > > > I just noticed I have a hosts.allow that is set up to all kinds of > > wierd examples: > > > > > > # hosts.allow access control file for "tcp wrapped" applications. > > # $FreeBSD: src/etc/hosts.allow,v 1.8.2.5 2001/08/30 16:02:37 dwmalone > Exp $ > > > > Should/is this enabled by default? > At least my "stock" version [v 1.8.2.3 2000/07/20 15:17:44] had this near > the top: > > # Start by allowing everything (this prevents the rest of the file > # from working, so remove it when you need protection). > # The rules here work on a "First match wins" basis. > ALL : ALL : allow > > So the examples don't matter. But this default setup is insecure anyhow. My objection was really that it's been installed by default, is presumably active, and has lines such as: ftpd : .nice.guy.example.com : allow ftpd : .evil.cracker.example.com : deny ftpd : ALL : allow in it. If they were commented out, fair enough. We've also got uncommented lines regarding the portmapper and other services - I know the Ips are private, but who's to say what lives on those Ips on my network? I only knew this file existed because of a warning in messages yesterday. The CVS header suggests it's been there since at least August, but I'm not sure it's a good thing to have in by default. The default allow is fair enough, I suppose, since it preserves POLA, but I'd question explicit allow/deny lines unless they're commented out. -- In English, every word can be verbed. Would that it were so in our programming languages. Rasputin :: Jack of All Trades - Master of Nuns :: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message