Date: Thu, 18 Nov 1999 18:45:37 +0000 From: Adam Laurie <adam@algroup.co.uk> To: "Mr. K." <bsd@a.servers.aozilla.com> Cc: Dag-Erling Smorgrav <des@flood.ping.uio.no>, David G Andersen <danderse@cs.utah.edu>, freebsd-security@FreeBSD.ORG Subject: Re: localhost.org Message-ID: <38344951.2E63C525@algroup.co.uk> References: <Pine.BSF.3.96.991118111140.1561A-100000@inbox.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Mr. K. wrote: > > > You should have an entry for localhost in the inbox.org zone file: > > > > localhost IN A 127.0.0.1 > > > yep, I already had this but it was ignoring this. in fact, > localhost.inbox.org would give me 127.0.0.1, localhost. would give me > 127.0.0.1, but localhost would give me a.b.c.d. Turns out that one part > domains automatically try the search first. > > > and you should consider setting your search path explicitly in > > /etc/resolv.conf. > This solved the problem. > > > Alternatively, put 'hosts' before 'bind' in /etc/host.conf and make > > sure /etc/hosts contains an entry for localhost. You can use > > /etc/hosts to override other stuff, too; e.g. make ad.doubleclick.net > > point to a dummy httpd that returns 404 no matter what URL you > > request. > > > This seems like a good idea in any case, as it will defeat a hacker who > manages to comprimise your nameserver. At least for those listings > included in /etc/hosts. Unfortunately this is not all you need to do to protect yourself - the default permissions table in MySQL will also include your fully qualified domain name. An attacker who controls their own reverse resolution can set themselves up to reverse to your box name, and MySQL will let them in (unless you are running it in 'secure' mode, in which case it checks that forward and reverse actually match). Since local connections actually appear to come from 'localhost' and not your fully qualified domain, you can safely delete the fully qualified entries from your MySQL user table. You should also move the TCP port onto a firewalled port if you don't need external access, and to a unix domain socket if you don't need TCP access. Finally, if they got in as a user with File_priv level access, they probably own you by now. cheers, Adam -- Adam Laurie Tel: +44 (181) 742 0755 A.L. Digital Ltd. Fax: +44 (181) 742 5995 Voysey House Barley Mow Passage http://www.aldigital.co.uk London W4 4GB mailto:adam@algroup.co.uk UNITED KINGDOM PGP key on keyservers To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?38344951.2E63C525>