Re: client with "private" address
2004-03-09 20:58:26
Hi Frank,
The documentation for gethostbyaddr and gethostbyname explained how each
call goes about looking up addresses. At least under Linux, there were
several opportunities to "override" the default behavior and make the
routines consult /etc/hosts first.
In my particular case, there are only two "private" addresses that I
need to handle due to the amanda server and client having a direct
cross-over connection, for an unrelated purpose. For two IP addresses,
it really didn't seem worth it to set up a local DNS with forward and
reverse domains.
As for address spoofing, there are basically 2 scenarios that I can
think of:
1. idiot hacker causes some backup(s) to fail on one night, maybe a DoS,
but that's about the extent of it
2. hacker who knows about amanda, and has the right ports open to
intercept and capture the stream, possibly to steal sensitive data
#2 would probably be loads easier to do with just a run of the mill
sniffer that can capture streams, and the activity would be much less
likely to be detected. I can't see the benefit of impersonating the
amanda server, besides which it would cause loads of errors and send up
red flags that something was going on. Not to mention that if your data
is all that sensitive, you should really be encrypting the data on the
client and not sending it "in the clear" across the network, and the
systems should be behind a tight firewall if not disconnected from the
internet altogether.
I really can't imagine DNS spoofing being that big of a risk with
respect to amanda. Having the addresses "hard coded" in /etc/hosts and
looking at that and not the DNS should be more secure than relying on
DNS lookups crossing the network, which could be spoofed.
Frank Smith wrote:
I suspect that Amanda was designed to use hostnames in their disklists and
.amandahosts, and names are very easy to spoof, so the lookups are done
to verify that the correct host is connecting. I'm sure the code could be
modified to not do lookups if given an IP, but having proper DNS has many
other benefits than just helping Amanda.
|
|
|