[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Disable ZeroConf: how to ?

On Thu, Mar 03, 2011 at 01:43:19PM +0100, Bastien ROUCARIES wrote:
> On Thu, Mar 3, 2011 at 1:31 PM, Olaf van der Spek <olafvdspek@gmail.com> wrote:
> > On Thu, Mar 3, 2011 at 1:16 PM, Lars Wirzenius <liw@liw.fi> wrote:
> >> On to, 2011-03-03 at 12:47 +0100, Bastien ROUCARIES wrote:
> >>> some package announce their existance to the world without any admin decision!
> >>> It is not a fud  and a security hole!
> >>
> >> That's a vague generality... which packages? You mentioned phpmyadmin.
> >> What are the actual problems that results from this announcement? What
> >> bad things happen from it? Can the fact that you have phpmyadmin become
> >> known to an attacker via port scanning, or similar techniques? If so,
> >> does it matter if phpmyadmin also announces things via avahi? What do
> >> you suggest as a solution? Would a blanket policy of having all services
> >> to default to not announce themselves? What would the problems from such
> >> a policy be?
> >>
> >> (I don't know much about this stuff, and I don't particularly care, but
> >> it'd be nice if we could turn the discussion into a constructive one.)
> >
> > Windows has the concept of home / private and public networks. On
> > public networks, sharing gets disabled.
> > Such a concept would be good for this situation as well. Let the user
> > indicate what type of network he is on and what type of services
> > should be opened to that network.
> 
> The last bug is not about this, it is I have a phpmyadmin running as
> www user and I announce I run it.
> 
> Not really good to give the path to phpmyadmin (that is running by
> admin decission)

Zeroconf announce doesn't make it less secure, it makes it slightly more
discoverable, but not significantly so.

Conversely, believing that not announcing through zeroconf is more
secure is probably good for your self confidence but doesn't change
anything about actual security of your system.

Script kiddies will actually scan a network, find web servers, and
test a bunch of urls, in which the default phpmyadmin path most
probably appears.

And if your phpmyadmin is exploited, it won't be because of zeroconf,
it will be because of your weak password, of a security issue in
phpmyadmin, or something else.

Mike
Reply to: