# TCP Wrapper: a bit less paranoid?



## stleric (Sep 23, 2011)

Hi,

I can't ssh into my FreeBSD (8.2) box from home.  The hang up appears to be: 
	
	



```
ALL : PARANOID : RFC931 20 : deny
```
  My home machine connects via the SBC/ATT DSL pool and for whatever reason I think it's failing tcpd's anti-spoof test.  My question:  If I comment out the PARANOID rule am I giving up all that much security?  Also, out of curiosity, is this a common problem either with SBC/ATT in particular or with large DSL or cable providers in general?

TIA,
eric


----------



## anomie (Sep 23, 2011)

IMO, as security mechanisms go, requiring matching DNS/rDNS lookups is pretty useful, but not crucial -- at least in the context you are describing. It's one layer in (what had better be) a multi-layered approach. 

FWIW, I have a large home cable provider (Time Warner), and mine match.


----------



## DutchDaemon (Sep 24, 2011)

In any case: non-matching A/PTR records can not be seen as strong evidence of malicious intent, as most end-users don't have access to either or both. There are more ISPs with networks lacking matching records than there are doing their homework. And this includes "formal servers" like mail relays. Being PARANOID in you smtp blacklisting will cost you some otherwise fine email ..


----------

