Re: [Nagios-devel] Re: Security Concerns about the nsca daemon
Posted: Wed Feb 22, 2006 2:16 am
On Wed, Feb 22, 2006 at 11:08:30AM +0100, Andreas Ericsson wrote:
> Marc Haber wrote:
> >And while we're at it, nsca should use tcp-wrappers itself so that it
> >can be tcp wrapped without having to add inetd to possible attack
> >vectors.
>
> Nopes. I could implement some basic tcp-wrappers-like thing in the nsca
> core, but I won't make it use tcp-wrappers.
Why? linking against libwrap is quite easy, I am told. Most programs I
am aware of control libwrap linking via ./configure option, so that
feature could be turned off if undesired.
> It'd be much better to do
> some simple firewalling anyway.
That's be one more line of defense. tcp wrappers can do much more than
simple filtering, such as logging ident and/or allowing access
depending on ident answer.
Greetings
Marc
--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835
This post was automatically imported from historical nagios-devel mailing list archives
Original poster: [email protected]
> Marc Haber wrote:
> >And while we're at it, nsca should use tcp-wrappers itself so that it
> >can be tcp wrapped without having to add inetd to possible attack
> >vectors.
>
> Nopes. I could implement some basic tcp-wrappers-like thing in the nsca
> core, but I won't make it use tcp-wrappers.
Why? linking against libwrap is quite easy, I am told. Most programs I
am aware of control libwrap linking via ./configure option, so that
feature could be turned off if undesired.
> It'd be much better to do
> some simple firewalling anyway.
That's be one more line of defense. tcp wrappers can do much more than
simple filtering, such as logging ident and/or allowing access
depending on ident answer.
Greetings
Marc
--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835
This post was automatically imported from historical nagios-devel mailing list archives
Original poster: [email protected]