[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Listening on specific interfaces
From: |
Ferguson, Steve |
Subject: |
RE: Listening on specific interfaces |
Date: |
Mon, 25 Aug 2003 16:09:12 -0400 |
I think the primary difference here is that with what cfservd has today, a
probing attacker can still learn that cfservd is running. Whereas with a
directed ability to bind to an interface, a potential attacker won't even
learn that cfservd is there.
If there's ever some sort of exploit published for cfengine, that difference
is key. Granted, there are lots of other ways to prevent cfservd from being
exploited, but most security gurus will tell you that the first rule is to
restrict what can be remotely detected. The less an attacker knows about
your hosts, the fewer potential points of entry he has to attack them.
Steve
> -----Original Message-----
> From: Mark.Burgess@iu.hio.no [mailto:Mark.Burgess@iu.hio.no]
> Sent: Monday, August 25, 2003 12:27 PM
> To: jwheeler@eb.com
> Cc: Mark.Burgess@iu.hio.no; help-cfengine@gnu.org
> Subject: Re: Listening on specific interfaces
>
>
>
> Cfservd already has this kind of access control. You don't need
> any more layers, I would say.
>
> M
>
>
> On 25 Aug, Wheeler, John wrote:
> > I might be nice to have this on hosts with lots of
> interfaces like in a
> > dmz. Otherwise you have to have something like tcp wrappers
> deny traffic
> > to the 5308 port on all interfaces but the control interface. It may
> > simplify things for some. Its potentially just another layer of
> > security.
> >
> > -----Original Message-----
> > From: Mark.Burgess@iu.hio.no [mailto:Mark.Burgess@iu.hio.no]
> > Sent: Monday, August 25, 2003 10:26 AM
> > To: Wheeler, John
> > Cc: Mark.Burgess@iu.hio.no; andre@digirati.com.br;
> help-cfengine@gnu.org
> > Subject: Re: Listening on specific interfaces
> >
> >
> > 0.0.0.0 is not a specific interface but a wildcard IP
> address. It means
> > "allow connections from any client". If you bind to a
> specific IP then
> > you might restrict to traffic from a single host, but is that very
> > useful?
> >
> > Mark
> >
> > On 25 Aug, Wheeler, John wrote:
> >> Maybe I'm confused, but in cfservd.c version 2.0.6 line 749 you set
> > the
> >> interface to INADDR_ANY (below). I believe this means it
> will listen
> > on
> >> any interface that's up, or more specifically 0.0.0.0(?).
> If someone
> > is
> >> ambitious you could write a patch to have it listen on
> something from
> >> the config file.
> >>
> >> 744 #else
> >> 745
> >> 746 bzero(&sin,sizeof(sin));
> >> 747
> >> 748 sin.sin_port = (unsigned short)(port); /* Service returns
> >> network byte order */
> >> 749 sin.sin_addr.s_addr = INADDR_ANY;
> >> 750 sin.sin_family = AF_INET;
> >> 751
> >> 752 if ((sd = socket(AF_INET,SOCK_STREAM,0)) == -1)
> >> 753 {
> >> 754 CfLog(cferror,"Couldn't open socket","socket");
> >> 755 exit (1);
> >> 756 }
> >> 757
> >> 758 if (setsockopt(sd, SOL_SOCKET, SO_REUSEADDR, (char *) &yes,
> >> sizeof (int)) == -1)
> >> 759 {
> >> 760 CfLog(cferror,"Couldn't set socket options","sockopt");
> >> 761 exit (1);
> >> "cfservd.c" line 749 of 3248 --23%-- col 1
> >>
> >> -----Original Message-----
> >> From: Mark.Burgess@iu.hio.no [mailto:Mark.Burgess@iu.hio.no]
> >> Sent: Saturday, August 23, 2003 3:51 PM
> >> To: andre@digirati.com.br
> >> Cc: help-cfengine@gnu.org
> >> Subject: Re: Listening on specific interfaces
> >>
> >>
> >>
> >> I think that this is a function of your operating system,
> rather than
> >> of cfengine. It is implementation dependent which
> interface gets bound
> >> to by the listen function.
> >>
> >> M
> >>
> >> On 22 Aug, Andre Nathan wrote:
> >>> Hi
> >>>
> >>> I have just installed cfengine for the first time on a test
> >> environment.
> >>> It's working fine for the simple tasks I configured, but
> I have one
> >>> doubt: currently, netstat shows "*:cfengine" in the
> "Local Address"
> >>> column when cfexecd is running. Is it possible to make it
> listen on
> >> one
> >>> interface only, when I'm using a dual homed host?
> >>>
> >>> Thanks in advance
> >>> Andre
> >>>
> >>>
> >>>
> >>> _______________________________________________
> >>> Help-cfengine mailing list
> >>> Help-cfengine@gnu.org
> >>> http://mail.gnu.org/mailman/listinfo/help-cfengine
> >>
> >>
> >>
> >>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> >> Work: +47 22453272 Email: Mark.Burgess@iu.hio.no
> >> Fax : +47 22453205 WWW : http://www.iu.hio.no/~mark
> >>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> >>
> >>
> >>
> >> _______________________________________________
> >> Help-cfengine mailing list
> >> Help-cfengine@gnu.org
> >> http://mail.gnu.org/mailman/listinfo/help-cfengine
> >>
> >>
> >> _______________________________________________
> >> Help-cfengine mailing list
> >> Help-cfengine@gnu.org
> >> http://mail.gnu.org/mailman/listinfo/help-cfengine
> >
> >
> >
> >
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > Work: +47 22453272 Email: Mark.Burgess@iu.hio.no
> > Fax : +47 22453205 WWW : http://www.iu.hio.no/~mark
> >
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> >
>
>
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Work: +47 22453272 Email: Mark.Burgess@iu.hio.no
> Fax : +47 22453205 WWW : http://www.iu.hio.no/~mark
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
>
>
> _______________________________________________
> Help-cfengine mailing list
> Help-cfengine@gnu.org
> http://mail.gnu.org/mailman/listinfo/help-cfengine
>
- RE: Listening on specific interfaces, (continued)
- RE: Listening on specific interfaces, Wheeler, John, 2003/08/25
- RE: Listening on specific interfaces, Wheeler, John, 2003/08/25
- Re: Listening on specific interfaces, Mark . Burgess, 2003/08/25
- Re: Listening on specific interfaces, Reenen Kroukamp, 2003/08/26
- Re: Listening on specific interfaces, Mark Burgess, 2003/08/27
- Re: Listening on specific interfaces, Chip Seraphine, 2003/08/27
- Re: Listening on specific interfaces, Reenen Kroukamp, 2003/08/27
- Re: Listening on specific interfaces, Mark . Burgess, 2003/08/27
RE: Listening on specific interfaces,
Ferguson, Steve <=
RE: Listening on specific interfaces, Ferguson, Steve, 2003/08/27
RE: Listening on specific interfaces, Wheeler, John, 2003/08/27