[plug] unknown hosts

[Leon Brooks]

Christian wrote:
> On Mon, Dec 11, 2000 at 12:57:27PM +0800, Leon Brooks wrote:
>> Steve Grasso wrote:
>>> On Sat, 09 Dec 2000, Leon Brooks wrote:
>>>> If you can't ssh into d3server from your gateway by hand, check the file
>>>> /etc/hosts.deny for a line saying ALL:ALL and if it's there, delete it.

>>> Hmm.....what's wrong with leaving ALL:ALL in hosts.deny, but adding
>>> sshd: ALL : ALLOW to hosts.allow?

>> Simpler, and makes other services go as well. Alex's box isn't running anything
>> that needs firewalling yet.

> This is the wrong attitude.  All services required should be
> specifically enabled.  Any suggestion to completely open a box up
> to get one thing working for the sake of simplicity is just as bad
> advice as suggesting using 'chmod 777' to share a file or solve some
> similar permissions problem.

Well, no. The box is only running a specific set of services. If the service is
not running, an intruder can't connect to it. None of the open services are
known to have holes. Further, the box is sitting on a LAN which has internet
access through a masq, so the world at large can't even see it.

And just to head off any suggestions about manically blocking every port in
sight, the machine operates as both a client and a server, so both outbound and
inbound (for FTP) connections via non-priv ports have to be allowed. If you
allow those, there's no real point in blocking off much else since any trojan
program (cracking tool) can make whatever outbound connects it likes, or listen
on high ports all it likes.

-- 
> "We have two ears and one mouth, so we may listen twice as much
> as we speak" Epictetus (Whoever he was)
Aha! This obviously explains many people's attitude to Usenet: "We
have ten fingers and two eyes, so we may type five times as much
drivel as we actually bother to read." -- Arthur Chance, on usenet