Is there any point to full host names in /etc/hosts ?

Discussion in 'Linux Networking' started by Rikishi 42, Nov 2, 2007.

  1. Rikishi 42

    Moe Trin Guest

    I don't use dnsmasq, either as a DNS or DHCP server, but that appears
    be the function of the '-s' option.
    I was assuming this was 'example.com' - but what do you do if the
    host that _should_ be 'bar.example.com' comes up claiming to be
    'foo.example.com'? Bear in mind that a lot of network cards will
    accept a '/sbin/ifconfig hw ether 01:02:03:04:05:06 eth0' command,
    and thus you can't trust the MAC address. If you are using a switched
    network, and the switch remembers which MAC/IP is on which port, it
    might cause problems, but few people hard-code their switches.
    I really haven't met anyone using 'r' commands over the Internet yet,
    but RFC2827 and RFC3704 (plus a minimum of common sense on the part
    of who-ever set up the local network) should eliminate that problem.
    Context is very important. Where I work, computers are not moving
    around, and we have an adequate number of IP addresses (no need for
    DHCP), and very few of our users have elevated privileges (makes a
    number of tricks harder to pull off). The networks are monitored, and
    punishment for malefactors is harsh. The "average" home user is
    in a different realm, lacking technical skills to configure their
    computer on the cable/DSL/telephone/what-ever connection their ISP
    provides. Much of the security depends on the way the ISP has things
    tightened down, but the results are the same - not much _local_
    spoofing. The problem occurs outside of these situations.

    As for a "safer" system, how about RFC3118 (possibly including
    RFC4030 if the local network needs this)?

    3118 Authentication for DHCP Messages. R. Droms, W. Arbaugh, Eds..
    June 2001. (Format: TXT=35536 bytes) (Status: PROPOSED STANDARD)

    4030 The Authentication Suboption for the Dynamic Host Configuration
    Protocol (DHCP) Relay Agent Option. M. Stapp, T. Lemon. March 2005.
    (Format: TXT=34332 bytes) (Status: PROPOSED STANDARD)

    I have no need for either, so have no experience to say whether or not
    this is the solution. Certainly a word search in the man page of
    dnsmasq fails to turn up a case-insensitive hit for 'authe'.

    Old guy
     
    Moe Trin, Nov 7, 2007
    #41
    1. Advertisements

  2. Rikishi 42

    Moe Trin Guest

    On Wed, 07 Nov 2007, in the Usenet newsgroup comp.os.linux.networking, in
    -A, --address=/<domain>/[domain/]<ipaddr>
    Specify an IP address to return for any host in the given
    domains. Queries in the domains are never forwarded and always
    replied to with the specified IP address which may be IPv4 or
    IPv6. To give both IPv4 and IPv6 addresses for a domain, use
    repeated -A flags. Note that /etc/hosts and DHCP leases override
    this for individual names. A common use of this is to redirect
    the entire doubleclick.net domain to some friendly local web
    server to avoid banner ads. The domain specification works in the
    same was as for --server, with the additional facility that /#/
    matches any domain. Thus --address=/#/1.2.3.4 will always return
    1.2.3.4 for any query not answered from /etc/hosts or DHCP and
    not sent to an upstream nameserver by a more specific --server
    directive.

    At least that's what it says on the man page I have ;-)
    I've had reports from my users who have run into this problem with their
    home installations. It's usually overly aggressive filtering/blocking on
    their part. I dunno about windoze - I stopped using that in 1992.
    Above - The man page I have is about 900 lines long, and the -A option
    is about line 250.
    Well, you could always set up a local proxy server (and block outbound
    access to port 80 from all but that server) and configure it to abuse the
    users who try to connect using IE... but you may not win many friends by
    doing so ;-)

    Old guy
     
    Moe Trin, Nov 7, 2007
    #42
    1. Advertisements

  3. Rikishi 42

    David Brown Guest

    I don't know how I missed that before, but the option is in my man page now!

    As far as I can see, the -H option works like a file full of -A lines,
    and is thus more convenient for me.
    I intend to set up a proxy server sometime (I'm going to test out squid
    with clamd virus scanning, at least for web-based email sites which
    bypass the normal email scanner). I'll log access by IE rather than
    block it (as the IT man, I have few enough friends...)

    mvh.,

    David
     
    David Brown, Nov 7, 2007
    #43
  4. Rikishi 42

    Send Guest


    Saying "His is fictional. Mine also exists on the net" implies you
    borrowed it "also exists on the net" does not infer that you purchased
    and registered the domain.

    You Said "He's added 2 of my PC's in the /etc/hosts of his laptop, for
    use when he visits and connects it to my LAN."


    Again "visits and connects it to my LAN" is not saying he is Physically
    in your home connecting wires to your router. he could just as easily
    be visiting and connecting to your LAN via the internet

    I suggest you spend less time Sleeping in "ENGLISH Class"
    State it more Prescisely! so it's not unclear
     
    Send, Nov 7, 2007
    #44
  5. Rikishi 42

    Moe Trin Guest

    On Wed, 07 Nov 2007, in the Usenet newsgroup comp.os.linux.networking, in
    I just grabbed the page off the 'net, as it's not installed on any of
    the systems here. The source appears to be
    http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html.
    That's one way to do it. Our DNS servers are updated via a dumb script
    that uses a file very much like the hosts file as a source, but it also
    creates the separate forward and reverse zones, and then kicks the
    primary name server to update things. We don't have external IPs in
    the zone files as we aren't authoritative for them.
    Why do you need web-based email sites? Doesn't your company run it's
    own mail system? Here, both Security and HR would be going ballistic
    if our users even tried accessing those sites, never mind attempting
    to do business through them. Company policy prohibits personal use of
    computers or network, which is why we've got "Employee Association"
    owned computers in the break areas and they're on a separate network
    completely isolated from the company.
    You have friends... Wow. ;-) Seriously, I'm lucky here as
    we don't use windoze at this facility - it's limited mainly to the
    corporate and the regional sales offices which are on different subnets
    thankfully. We also don't allow visiting computers. That eliminates a
    lot of network problems.

    Old guy
     
    Moe Trin, Nov 8, 2007
    #45
  6. Rikishi 42

    David Brown Guest

    You are in a much bigger company than ours, and with much stricter
    rules. There's always a certain amount of tradeoff between security and
    functionality and flexibility (the most secure computers have no network
    access of any kind, for example) - the trick is getting the maximum
    realistic security while still providing the functionality and
    flexibility you want for the users. Given the size of our company, and
    the openness and freedom we like to have, together with the technical
    abilities of the users (they are at least fairly competent, and have no
    problem following rules and guidelines), we have a rather different
    view. People are free to use browsers as they want, as long as they are
    responsible. Using non-IE browsers means they have to work harder to
    get malware onto their machines - having a virus scanner in the path
    would make it even harder.
    We have a wireless network for visiting computers, or other "unsafe"
    machines (such as laptops that may be used off-site).
     
    David Brown, Nov 8, 2007
    #46
  7. Rikishi 42

    david Guest

    Big or small, every company needs to worry about liability. So, what if
    one of your 'responsible' employees downloads some 'objectionable'
    material? If someone happens to see it, you're opening your company up
    for a harassment lawsuit. Sad to say, but it happens....
     
    david, Nov 8, 2007
    #47
  8. Rikishi 42

    Bit Twister Guest

    Responsible is no longer safe. Safe being a relative term.
    Black hats/crackers are cracking content servers to deliver their malware.
    With new malware generated every 20 minutes, just how safe could your
    virus scanner be. Saw a virus report where 600,000 know pieces of
    malware was used to test scanners. Best scanner result was somewhere
    around .7% missed. You do the math.

    Virus scanners are like seat belts, does pretty good depending on the crash.

    Think about it. AV vendors have to catch the malware, generate
    signature or modify the scanner, test it, move it to production, you
    have to download it. There is a 1 day to 1 week hole there at best.

    Malware coders are morphing the server strings which makes scanners
    pretty inefficient.

    AV vendors are scanning sites for malware. Malware vendors are using
    blacks lists to serve up malware if the ip is not in the AV vender
    black list. Makes it harder for the AV vendor to get a copy of the
    lastest malware.

    Here, http://sla.ckers.org/forum/read.php?3,44 click "Last" in the
    goto page bar and work backwards.
    Check the names of sites with holes in their code.

    Whats the worst that could happen on your site, malware gets a password
    sniffer installed and calls home.
    Black hat puts in some back doors, virus scanner cleans out sniffer.
    Your site is then used to spend a million or so dollars with stolen
    credit cards or funnel money to Alcadia, and your systems are hauled
    off to jail for a year or so. :-D

    Have you check on your lawyer's hourly rate lately.
     
    Bit Twister, Nov 8, 2007
    #48
  9. Rikishi 42

    Moe Trin Guest

    On Thu, 08 Nov 2007, in the Usenet newsgroup comp.os.linux.networking, in
    I was thinking you were using a web-based email sites for business.
    That doesn't give the right impression to customers.

    For _personal_ use, that is a decision the company management has to
    make. Yes, there is the obvious abuse situation (I visited a
    supplier recently, and noted one system in a technician's office that
    was displaying current stock exchange tickers - hardly an appropriate
    use).
    There is also a difference in the legal climate. In the USA, the mere
    hint of anything sexual _can_ bring on lawsuits - with the federal and
    state governments being interested parties. Most company legal staffs
    recommend a zero-tolerance on the part of management, just to avoid
    those legal problems.
    The employee association systems in break areas are all running the
    same basic Linux install as used locally. The employees are familiar
    with it and have no problems. The systems are set so that users can
    not save anything (the user's home directory is read-only) and there
    is no removable media. You can _read_ your personal mail, but you
    can't save it locally. This eliminates a LOT of problems.
    We're an R&D facility, so visiting computers are simply not allowed.
    Company systems that may come or go get a clean install each time.
    Sales people who visit either lock up the computers in lockers in
    the lobby, or use them only in the lobby. We don't even get usable
    cell-phone or radio/TV broadcast coverage in the buildings - which is
    a mixed joy.

    Paranoid? Who, us???

    Old guy
     
    Moe Trin, Nov 8, 2007
    #49
  10. Rikishi 42

    David Brown Guest

    With that level of paranoia, what's the point of having anything
    connected to the internet? You make it sound as though there are gangs
    of crackers working round the clock on ways to break into my networks,
    using a combination of essentially unrelated client and server attacks.

    In reality, client attacks (viruses by email, trojans by browser, etc.)
    and server attacks (exploiting weaknesses in web sites, etc.) are
    distinct, as are network attacks such as worms or ssh password cracking.
    They may be some connections (hacked servers used to spread trojans,
    etc.), but security methods are fundamentally different because you are
    dealing with different machines, different types of software, and
    different types of user.

    There are also different types of crackers. Some are just messing
    around for fun, others are attacking specific servers or users, and
    others want control of as many different machines as possible.

    For protection against script kiddies, the main thing is to protect
    against common and obvious flaws in the servers. If a script kiddie is
    trying to break into a ssh server, then strong passwords combined with
    limited connections per minute will foil them and they'll try a
    different victim. The same applies to organised groups - there are
    enough easily cracked systems around. Solid security measures such as
    minimising the software running on a server, isolating "risky" parts
    from more essential parts, etc., limit the risks. For my network, the
    risk of a targeted attack is negligible.

    As for email attacks such as viruses, it's important to combine striping
    of all windows executable files with virus checking of containers such
    as zip files, and to educate users about safe use. Similarly, for
    protecting against malware from browsers, user education (such as never
    use IE) is essential, and technical measures such as virus scanning or
    blocking known malware sites add an extra hurdle for the bad guys.

    All in all, security is a process of minimising the risks while giving
    the functionality users want (or as close to it as possible). You can
    never be entirely safe while connected in some way - but it's far from
    impossible to reach the point where network security is a minimal worry
    for a company or user.
     
    David Brown, Nov 11, 2007
    #50
  11. Rikishi 42

    David Brown Guest

    I absolutely agree - it's hard to take professionals seriously if they
    have gmail or hotmail email accounts (at least, for professionals in a
    technical area).
    Yes, that's a matter for administration. I don't make the law, I only
    enforce it.

    Here in Norway, there is not nearly the same sort of issues, and
    therefore there is no need for IT to worry about it.
    When you need a more controlled system (effectively treating the users
    as the general public), that makes a lot of sense. I know everyone in
    our company, so it's a very different scale.
    Just because you're paranoid, does not mean they're not out to get you.

    mvh.,

    David
     
    David Brown, Nov 11, 2007
    #51
  12. Rikishi 42

    david Guest

    And you think there aren't?
     
    david, Nov 11, 2007
    #52
  13. Rikishi 42

    Moe Trin Guest

    On Sun, 11 Nov 2007, in the Usenet newsgroup comp.os.linux.networking, in
    While to a minor extent, it's a "bandwidth" and "what are we paying
    you for" issue, there may be security issues as well. Our users do
    not have the permission to install software, so that issue is slightly
    reduced. Still, one has to be careful. I note that Bugtraq is reporting
    a Macintosh (OSX - but not sure which release) trojan - some pr0n site
    that gets the user to install a plugin to see the pictures better or
    something.
    Lawsuits are an all-to-common problem here. Even if the company wins
    in court, the plaintiff is rarely able to reimburse the wasted legal
    costs (lawyers are not cheap). It's a threat we live with.

    [employee association systems for "personal" use]
    It keeps the company out of the individual's personal business. It's
    also self-policing, as the employees themselves make sure the systems
    aren't abused.
    "When they _are_ out to get you, always check your paperwork."

    Old guy
     
    Moe Trin, Nov 12, 2007
    #53
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.