From owner-freebsd-security  Fri Apr 12 23:46: 9 2002
Delivered-To: freebsd-security@freebsd.org
Received: from rwcrmhc52.attbi.com (rwcrmhc52.attbi.com [216.148.227.88])
	by hub.freebsd.org (Postfix) with ESMTP id D2E5D37B404
	for <security@FreeBSD.ORG>; Fri, 12 Apr 2002 23:46:04 -0700 (PDT)
Received: from blossom.cjclark.org ([12.234.91.48]) by rwcrmhc52.attbi.com
          (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP
          id <20020413064604.TFIN1901.rwcrmhc52.attbi.com@blossom.cjclark.org>;
          Sat, 13 Apr 2002 06:46:04 +0000
Received: (from cjc@localhost)
	by blossom.cjclark.org (8.11.6/8.11.6) id g3D6k3844275;
	Fri, 12 Apr 2002 23:46:03 -0700 (PDT)
	(envelope-from cjc)
Date: Fri, 12 Apr 2002 23:46:02 -0700
From: "Crist J. Clark" <cjc@FreeBSD.ORG>
To: Andy Farkas <andyf@speednet.com.au>
Cc: peter.lai@uconn.edu,
	"Kevin Kinsey, DaleCo, S.P." <kdk@daleco.biz>, security@FreeBSD.ORG
Subject: Re: hosts.allow and RFC931 - was: sshd warning---a lil' help?
Message-ID: <20020412234602.B43915@blossom.cjclark.org>
References: <20020409185049.A17491@cowbert.2y.net> <Pine.BSF.4.33.0204122053380.56356-100000@backup.af.speednet.com.au>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <Pine.BSF.4.33.0204122053380.56356-100000@backup.af.speednet.com.au>; from andyf@speednet.com.au on Fri, Apr 12, 2002 at 09:07:10PM +1000
X-URL: http://people.freebsd.org/~cjc/
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Fri, Apr 12, 2002 at 09:07:10PM +1000, Andy Farkas wrote:
> On Tue, 9 Apr 2002, Peter C. Lai wrote:
> 
> > a is true. the message is coming from hosts.allow, which checks for rdns as
> > a (weak) signal of spoofed packets.  You can deny these connections by
> > by turning on:
> >
> > ALL : PARANOID : RFC931 20 : deny
> > # Provide some protection against clients using a forged source IP address
> >
> 
> Question: the above rule in the default /etc/hosts.allow file is *above*
> the rules regarding sshd - does this mean that sshd is not protected
> against forged source IP adresses?

The original statement is misleading. There pretty much no way to
protect against forged IP addresses, IP is unauthenticated. All
PARANOID does is,

       PARANOID
              Matches any host whose  name  does  not  match  its
              address.

It looks up the host name from the address, then looks up the address
associated with the host name, and makes sure the addresses match. It
looks for people playing DNS games. It's only really useful if you are
restricting access by host name.
-- 
Crist J. Clark                     |     cjclark@alum.mit.edu
                                   |     cjclark@jhu.edu
http://people.freebsd.org/~cjc/    |     cjc@freebsd.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message