[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Listening on specific interfaces
|
From: |
Wheeler, John |
|
Subject: |
RE: Listening on specific interfaces |
|
Date: |
Wed, 27 Aug 2003 09:49:24 -0500 |
>So to everyone who has brought this up: I think this is a Red Herring.
>There is no advantage to binding to any other address. As for listening
>on only a single interface -- I just don't know how to do that.
Respectfully, I don't think that the 5+ people that understand the issue
are misguided.
I'll try my best to make the issue more clear (basically rephrasing mine
and others arguments).
First( and probably the most important ) binding to an specific address
for multihomed hosts provides a level of protection that cfservd CAN NOT
provide. The reason for this is simple, if I have a host that has one
interface on the internet, and one that is not (probably on a corporate,
non routable address) a hacker could easily use something like nmap to
determine if cfservd is running. This forensic information if an exploit
is available, could allow me to attack the host. Worse yet, even if I'm
not a clever hacker, I could fire useless traffic at this port and
possibly crash the server, or at least keep it busy. The only thing
cfservd can do at this point is examine the packet at the application
level and discard, assuming there is not a buffer overflow problem.
Some would argue that a firewall, or tcp wrappers could prevent internet
traffic from hitting this port. This is true, which is why I indicated
in my first message that this change would simply add a layer of
security it does not already posses.
>Servers generally bind to 0.0.0.0 whih means, I'm accepting traffic
from >anyone in principle.
This is untrue, and I'd actually argue the opposite. Not being
judgmental, but this may be the source of your confusion. I specifically
bind both tomcat and apache to specific address for load balancing. It
simplifies load balancing configuration, moving and expanding sites,
configuration management...etc.
If the need for this is still not clear, please read up on why any
server binds to an IP address. The security implications are paramount
and this generally accepted security practice is something cfengine
could use.
- Re: Listening on specific interfaces, (continued)
- Re: Listening on specific interfaces, Mark . Burgess, 2003/08/25
- Re: Listening on specific interfaces, Reenen Kroukamp, 2003/08/26
- Re: Listening on specific interfaces, Mark Burgess, 2003/08/27
- Re: Listening on specific interfaces, Chip Seraphine, 2003/08/27
- Re: Listening on specific interfaces, Reenen Kroukamp, 2003/08/27
- Re: Listening on specific interfaces, Mark . Burgess, 2003/08/27
RE: Listening on specific interfaces, Ferguson, Steve, 2003/08/25
RE: Listening on specific interfaces, Ferguson, Steve, 2003/08/27
RE: Listening on specific interfaces,
Wheeler, John <=