Summary: Brainstorming needed: impact of changing hostname

From: sunhux G <sunhux_at_gmail.com>
Date: Thu May 29 2008 - 00:00:39 EDT
Thanks, the favourite replies follows :


==================
b) A properly configured firewall is the key defense against outside world.
If a hacker has breached your network, a funny sounding name is not going
to slow him down.  He's going to do a port scan and figure out if this is an
ORACLE server or a file server.  Outsourced IT vendors & internal users are
hard to guard against.  If you are really paranoid about keeping them from
knowing details about the box, you could put the box in a DMZ and only
expose
the services they absolutely require.  But again, there's a good chance that
one or more of the services they are exposed to will give away your OS
anyway

c) Hardening should be your first priority.  I would put all of
your effort into that.

===================

a)If your infrastructure is already running, I seriously discourage
renaming the boxes.  Some software licence key off the hostname.
Many not very smart programmers also hardcode the hostnames in their
code.  Some applications use he hostname for licensing too.
Changing hostnames can lead to pretty bad application outages.

===================


d) if you're really allowing telnet (not ssh) access, you're likely
have larger security issues.

d)Secure your login banner page with warning & don't use things

like "Welcome to company ABC" in it


===================

a)Don't have any other "authorative" sources to back that
up, but do they have any that claim it is high risk?

a)If I have a domain name, I can look up who registered
"example.com." If I have an IP, you're right, I can go
to ARIN, RIPE, APNIC, etc. and find out to whom the
space is registered.


b)There is no accepted secure naming convention that works for everyone.
The most "secure" naming convention would be random strings. But
that's not good for humans. If you make the names too hard, why
bother. It's just as easy to remember by IP address.


b)If you don't want people to know your organization name, should
  you have a website to begin with? Also, if your IP address is
  available via DNS, someone could use (say) nmap to give them MUCH
  more information about your system than they could get from a
  hostname.



============================================

to make it easier for the outside world to deal with, I use CNAMEs
to assign every host a second name indicating its function, e.g.

       Hostname
       banana          dns1.example.com
       apple           dns2.example.com
       ...             ...
       wyoming         mx1.example.com
       oregon          mx2.example.com

Note how this makes changes seamless: if I bring online a new DNS server
named "coconut" to replace "apple", then as long as the CNAME points to
the new host, the change is invisible.  NOTE CAREFULLY that MX records
must not point to CNAMEs, by the way.


> c)What's the system/network impact?


This is why you use CNAMEs.  It removes the need to change most of
this stuff, because you can just make the changes (a) on the host
and (b) in DNS, then everything else just works.

====================

  - Yes, CA Unicenter monitoring agent needs to be reinstalled
  - Yes, HP DataProtector needs to be reinstalled
  - will any OS patches (for Solaris, HPUX, Linux) need to be
        reinstalled?
    No, but some software licence depends on hostname

====================


 For naming convention, it's recommended the length do not exceed 8
 characters though it can go longer as some existing application/tools
 may not be able to support hostname with more than 8 characters :
http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0x2db614a24fd1d4118fef0090279cd0f9,00.html
http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0xc2b7d5fab40ed6118ff40090279cd0f9,00.html
  Using fruit/object name easily exceeds the 8 character limit

====================

One organization that has different geographical location came up with this
:
   sfwdp01a  (use lower case)
where
- "s" represent country (MNC uses  this to identify where the server
            is located geographically)
- "fw" is the function (fw for firewall, dn for dns, sw for switch,
           ws for webserver, db for database server)
- "dp" is a code for the department that uses it (pb if public)
- 01/02 (just a numbering system in incrementing order)
- a or b  (if it's a cluster member, a for 1st member, b for 2nd ...)
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
Received on Thu May 29 00:01:51 2008

This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:44:11 EST