Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 18 Nov 1999 18:45:37 +0000
From:      Adam Laurie <adam@algroup.co.uk>
To:        "Mr. K." <bsd@a.servers.aozilla.com>
Cc:        Dag-Erling Smorgrav <des@flood.ping.uio.no>, David G Andersen <danderse@cs.utah.edu>, freebsd-security@FreeBSD.ORG
Subject:   Re: localhost.org
Message-ID:  <38344951.2E63C525@algroup.co.uk>
References:  <Pine.BSF.3.96.991118111140.1561A-100000@inbox.org>

next in thread | previous in thread | raw e-mail | index | archive | help
Mr. K. wrote:
> 
> > You should have an entry for localhost in the inbox.org zone file:
> >
> > localhost               IN      A       127.0.0.1
> >
> yep, I already had this but it was ignoring this.  in fact,
> localhost.inbox.org would give me 127.0.0.1, localhost. would give me
> 127.0.0.1, but localhost would give me a.b.c.d.  Turns out that one part
> domains automatically try the search first.
> 
> > and you should consider setting your search path explicitly in
> > /etc/resolv.conf.
> This solved the problem.
> 
> > Alternatively, put 'hosts' before 'bind' in /etc/host.conf and make
> > sure /etc/hosts contains an entry for localhost. You can use
> > /etc/hosts to override other stuff, too; e.g. make ad.doubleclick.net
> > point to a dummy httpd that returns 404 no matter what URL you
> > request.
> >
> This seems like a good idea in any case, as it will defeat a hacker who
> manages to comprimise your nameserver.  At least for those listings
> included in /etc/hosts.

Unfortunately this is not all you need to do to protect yourself - the
default permissions table in MySQL will also include your fully
qualified domain name. An attacker who controls their own reverse
resolution can set themselves up to reverse to your box name, and MySQL
will let them in (unless you are running it in 'secure' mode, in which
case it checks that forward and reverse actually match). Since local
connections actually appear to come from 'localhost' and not your fully
qualified domain, you can safely delete the fully qualified entries from
your MySQL user table. You should also move the TCP port onto a
firewalled port if you don't need external access, and to a unix domain
socket if you don't need TCP access. Finally, if they got in as a user
with File_priv level access, they probably own you by now.

cheers,
Adam
--
Adam Laurie                   Tel: +44 (181) 742 0755
A.L. Digital Ltd.             Fax: +44 (181) 742 5995
Voysey House                  
Barley Mow Passage            http://www.aldigital.co.uk
London W4 4GB                 mailto:adam@algroup.co.uk
UNITED KINGDOM                PGP key on keyservers


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?38344951.2E63C525>