Hi, tcp-wrappers, article

Cary B. O'Brien cobrien "at" access.digex.net
Fri, 13 Mar 1998 16:18:26 +0000


> >    the listen address to (rather than IADDR_ANY).  This way I could bind 
> >    the listen address to 128.0.0.1 (loopback), and have a tcp-wrapper 
> 
> 127.0.0.1 .. 
> 
> >    protected netcat or redir listening for connections from my machine, 
> >    which would be  forwarded to Xvnc.  This would also be good for dual-homed 
> >    machines  in DMZ-type firewall setups.  This would allow connections only from
> >    the internal lan.
> 
> And if you have source routing facilities on your box you can potentially
> be open to abuse.
> 

True, but that's one of the first things I turn off on exposed boxes, and
I sure hope the firewall guy has it disabled (gotta check that).

> > 2) Build in source address based authentication using the library that
> >    comes with tcp_wrappers.
> > 
> > Comments? 
> 
> I think its better to do the job properly. Assuming you only care about
> authentication and not also data hiding then MD5 signatures are probably
> enough security (like PPP CHAP protocol). MD5 is free, exportable worldwide
> and not (currently 8)) subject to patent stupidities
> 

True, but I'm kind of a belt-and-braces guy [1].  I worry that
passwords are subject to social engineering [2] attacks, so I'd like
another layer of security.  I'd just like to be sure that external
access just can't happen.

-- cary

[1] Wearing both a belt and suspenders to keep your pants up.   I.E. likes
    redundancy.

[2] Like looking through people's day-planners, or in drawers, or in
    their stored e-mail when they leave their offices.  Or the wastebasket
    near the printer.