Subject: Time-windows for /etc/hosts.allow ?
To: None <firstname.lastname@example.org>
From: Louis Glassy <email@example.com>
Date: 12/12/1999 23:44:03
Suppose you could put time-windows on an entry in
hosts.allow. Do you think this would give any
practical security benefit?
The idea is, an ALLOW or DENY rule could have a time-window attached
to it, as in BEGIN_TIME..END_TIME, where each of these
time-windows (or "timespecs") could look like a date(1)
A hosts.allow file would have optional timespecs after the rules.
With both timespecs gone, it just means, "forever",
which is the current default behavior. Timespecs
could come in two flavors, an absolute timespec CCYYMMDDHHMM
and a relative timespec, in which some of the most
significant digits are missing. An open-ended timespec
would have to be an absolute one. Ergo
means, until 1999, Dec 29th, 12noon. and
means, after 1999, Dec 23rd, 2300 hrs. and
means, in that time frame (inclusive). and
is a relative timespec meaning, from noon to 2pm each day.
so you could put in rules like
sendmail: ALL: ALLOW: 1200..1400
saying, I accept sendmail connections from 12noon-2pm each day.
Perhaps you'd want to put a window on a DENY rule, as in
# when the army of darkness tries to break into my machine.
ALL: ALL: DENY: 2200..0800
If having time-windows on hosts.allow makes sense, I can already
do this by having a cron job rewrite the hosts.allow
as needed. This has the advantage of not requiring any
changes to userland proper. :-)
So.. question 1. Do you think there is any practical security benefit
to be had from time-windowing the access to a host?
question 2. If there is, is it better to do this with cron,
or by changing libwrap to read new (optional)
timespecs from the hosts.allow file?