rsync - Dec 2001 - "hosts allow" secure?

How secure is "hosts allow"?

I have "hosts allow = bkup" in my rsyncd.conf. Then in /etc/hosts I
have:

64.29.16.235	bkup

This makes only 64.29.16.235 able to connect to rsync.

Could someone spoof their hostname somehow to trick rsync into letting
them in, though? e.g. If they reverse DNS says that they're called
"bkup".

On Sun, Dec 30, 2001 at 05:32:28AM -0500, Philip Mak
wrote:
> How secure is "hosts allow"?
It's not.
> I have "hosts allow = bkup" in my rsyncd.conf. Then in /etc/hosts
I have:
> 
> 64.29.16.235	bkup
> 
> This makes only 64.29.16.235 able to connect to rsync.
> 
> Could someone spoof their hostname somehow to trick rsync into letting
> them in, though? e.g. If they reverse DNS says that they're called
"bkup".
In general somebody could spoof the DNS, although not if you have it in
/etc/hosts like that (assuming /etc/nsswitch.conf is set to give priority
to files over dns).  If the bkup machine is on the same subnet in a secured
machine room, it's also pretty unlikely that somebody would be able to
hijack
a live session.  However, if you're going over a long distance network
it's
vulnerable.  There's no host verification or session integrity.  If you can,
use SSH.

This is really no different than tcp wrappers.

- Dave Dykstra