RE: Listening on specific interfaces

[Ferguson, Steve]

I think the primary difference here is that with what cfservd has today, a
probing attacker can still learn that cfservd is running.  Whereas with a
directed ability to bind to an interface, a potential attacker won't even
learn that cfservd is there.

If there's ever some sort of exploit published for cfengine, that difference
is key.  Granted, there are lots of other ways to prevent cfservd from being
exploited, but most security gurus will tell you that the first rule is to
restrict what can be remotely detected.  The less an attacker knows about
your hosts, the fewer potential points of entry he has to attack them.

Steve

> -----Original Message-----
> From: Mark.Burgess@iu.hio.no [mailto:Mark.Burgess@iu.hio.no]
> Sent: Monday, August 25, 2003 12:27 PM
> To: jwheeler@eb.com
> Cc: Mark.Burgess@iu.hio.no; help-cfengine@gnu.org
> Subject: Re: Listening on specific interfaces
> 
> 
> 
> Cfservd already has this kind of access control. You don't need
> any more layers, I would say.
> 
> M
> 
> 
> On 25 Aug, Wheeler, John wrote:
> > I might be nice to have this on hosts with lots of 
> interfaces like in a
> > dmz. Otherwise you have to have something like tcp wrappers 
> deny traffic
> > to the 5308 port on all interfaces but the control interface. It may
> > simplify things for some. Its potentially just another layer of
> > security.
> > 
> > -----Original Message-----
> > From: Mark.Burgess@iu.hio.no [mailto:Mark.Burgess@iu.hio.no] 
> > Sent: Monday, August 25, 2003 10:26 AM
> > To: Wheeler, John
> > Cc: Mark.Burgess@iu.hio.no; andre@digirati.com.br; 
> help-cfengine@gnu.org
> > Subject: Re: Listening on specific interfaces
> > 
> > 
> > 0.0.0.0 is not a specific interface but a wildcard IP 
> address. It means
> > "allow connections from any client". If you bind to a 
> specific IP then
> > you might restrict to traffic from a single host, but is that very
> > useful?
> > 
> > Mark
> > 
> > On 25 Aug, Wheeler, John wrote:
> >> Maybe I'm confused, but in cfservd.c version 2.0.6 line 749 you set
> > the
> >> interface to INADDR_ANY (below). I believe this means it 
> will listen
> > on
> >> any interface that's up, or more specifically 0.0.0.0(?). 
> If someone
> > is
> >> ambitious you could write a patch to have it listen on 
> something from
> >> the config file.
> >> 
> >>     744 #else
> >>     745
> >>     746 bzero(&sin,sizeof(sin));
> >>     747
> >>     748 sin.sin_port = (unsigned short)(port); /*  Service returns
> >> network byte order */
> >>     749 sin.sin_addr.s_addr = INADDR_ANY;
> >>     750 sin.sin_family = AF_INET;
> >>     751
> >>     752 if ((sd = socket(AF_INET,SOCK_STREAM,0)) == -1)
> >>     753    {
> >>     754    CfLog(cferror,"Couldn't open socket","socket");
> >>     755    exit (1);
> >>     756    }
> >>     757
> >>     758 if (setsockopt(sd, SOL_SOCKET, SO_REUSEADDR, (char *) &yes,
> >> sizeof (int)) == -1)
> >>     759    {
> >>     760    CfLog(cferror,"Couldn't set socket options","sockopt");
> >>     761    exit (1);
> >> "cfservd.c" line 749 of 3248 --23%-- col 1
> >> 
> >> -----Original Message-----
> >> From: Mark.Burgess@iu.hio.no [mailto:Mark.Burgess@iu.hio.no] 
> >> Sent: Saturday, August 23, 2003 3:51 PM
> >> To: andre@digirati.com.br
> >> Cc: help-cfengine@gnu.org
> >> Subject: Re: Listening on specific interfaces
> >> 
> >> 
> >> 
> >> I think  that this is a function of your operating system, 
> rather than
> >> of cfengine. It is implementation dependent which 
> interface gets bound
> >> to by the listen function.
> >> 
> >> M
> >> 
> >> On 22 Aug, Andre Nathan wrote:
> >>> Hi
> >>> 
> >>> I have just installed cfengine for the first time on a test
> >> environment.
> >>> It's working fine for the simple tasks I configured, but 
> I have one
> >>> doubt: currently, netstat shows "*:cfengine" in the 
> "Local Address"
> >>> column when cfexecd is running. Is it possible to make it 
> listen on
> >> one 
> >>> interface only, when I'm using a dual homed host?
> >>> 
> >>> Thanks in advance
> >>> Andre
> >>> 
> >>> 
> >>> 
> >>> _______________________________________________
> >>> Help-cfengine mailing list
> >>> Help-cfengine@gnu.org
> >>> http://mail.gnu.org/mailman/listinfo/help-cfengine
> >> 
> >> 
> >> 
> >> 
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> >> Work: +47 22453272            Email:  Mark.Burgess@iu.hio.no
> >> Fax : +47 22453205            WWW  :  http://www.iu.hio.no/~mark
> >> 
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> >> 
> >> 
> >> 
> >> _______________________________________________
> >> Help-cfengine mailing list
> >> Help-cfengine@gnu.org
> >> http://mail.gnu.org/mailman/listinfo/help-cfengine
> >> 
> >> 
> >> _______________________________________________
> >> Help-cfengine mailing list
> >> Help-cfengine@gnu.org
> >> http://mail.gnu.org/mailman/listinfo/help-cfengine
> > 
> > 
> > 
> > 
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > Work: +47 22453272            Email:  Mark.Burgess@iu.hio.no
> > Fax : +47 22453205            WWW  :  http://www.iu.hio.no/~mark
> > 
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > 
> 
> 
> 
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Work: +47 22453272            Email:  Mark.Burgess@iu.hio.no
> Fax : +47 22453205            WWW  :  http://www.iu.hio.no/~mark
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 
> 
> 
> _______________________________________________
> Help-cfengine mailing list
> Help-cfengine@gnu.org
> http://mail.gnu.org/mailman/listinfo/help-cfengine
>