[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Disable ZeroConf: how to ?

On Thu, Mar 3, 2011 at 2:35 PM, Mike Hommey <mh@glandium.org> wrote:
> On Thu, Mar 03, 2011 at 01:43:19PM +0100, Bastien ROUCARIES wrote:
>> On Thu, Mar 3, 2011 at 1:31 PM, Olaf van der Spek <olafvdspek@gmail.com> wrote:
>> > On Thu, Mar 3, 2011 at 1:16 PM, Lars Wirzenius <liw@liw.fi> wrote:
>> >> On to, 2011-03-03 at 12:47 +0100, Bastien ROUCARIES wrote:
>> >>> some package announce their existance to the world without any admin decision!
>> >>> It is not a fud  and a security hole!
>> >>
>> >> That's a vague generality... which packages? You mentioned phpmyadmin.
>> >> What are the actual problems that results from this announcement? What
>> >> bad things happen from it? Can the fact that you have phpmyadmin become
>> >> known to an attacker via port scanning, or similar techniques? If so,
>> >> does it matter if phpmyadmin also announces things via avahi? What do
>> >> you suggest as a solution? Would a blanket policy of having all services
>> >> to default to not announce themselves? What would the problems from such
>> >> a policy be?
>> >>
>> >> (I don't know much about this stuff, and I don't particularly care, but
>> >> it'd be nice if we could turn the discussion into a constructive one.)
>> >
>> > Windows has the concept of home / private and public networks. On
>> > public networks, sharing gets disabled.
>> > Such a concept would be good for this situation as well. Let the user
>> > indicate what type of network he is on and what type of services
>> > should be opened to that network.
>>
>> The last bug is not about this, it is I have a phpmyadmin running as
>> www user and I announce I run it.
>>
>> Not really good to give the path to phpmyadmin (that is running by
>> admin decission)
>
> Zeroconf announce doesn't make it less secure, it makes it slightly more
> discoverable, but not significantly so.

I disagree, on the second part, I allow faster discovery of attack
target, and made script kiddies less detectable...

> Conversely, believing that not announcing through zeroconf is more
> secure is probably good for your self confidence but doesn't change
> anything about actual security of your system.

It will ease the work of script kiddy.

> Script kiddies will actually scan a network, find web servers, and
> test a bunch of urls, in which the default phpmyadmin path most
> probably appears.
>
> And if your phpmyadmin is exploited, it won't be because of zeroconf,
> it will be because of your weak password, of a security issue in
> phpmyadmin, or something else.

For sure but I really dislike to help script kiddies, we do not return
full version of some software for this reason and do not announce
software available and location of administrative stuff slow down
exploit

Bastien
Reply to: