Date: Fri, 12 May 2006 16:16:48 -0700 From: Jeremy Chadwick <freebsd@jdc.parodius.com> To: freebsd-ports@freebsd.org Subject: Re: FreeBSD Port: poppassd-4.0_2 Message-ID: <20060512231648.GA63826@pentarou.parodius.com> In-Reply-To: <dd964322538e85ef91e2d0168653200d@ugh.net.au> References: <4464F565.30807@calarts.edu> <dd964322538e85ef91e2d0168653200d@ugh.net.au>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, May 12, 2006 at 11:49:15PM +0100, Andrew wrote: > On 12/05/2006, at 9:51 PM, Sean Murphy wrote: > >is there anyway to restrict this daemon to listen only on 127.0.0.1 > >local host? > > poppassd is called by inetd so thats where you need to look. The > easiest method would probably be to use tcp wrappers. See the inetd man > page for details but basically run inetd with -w and edit > /etc/hosts.allow. tcpwrappers should not be relied upon in any way shape or form for security. Application-level IP checking should only be used as a last resort. Why? Because for tcpwrappers to work, the client has to already have an established TCP or UDP socket. By then it's too late -- the socket has already been established, which means the attacker, at a bare minimum, knows what service(s) you're running on your machine. Not good. :-) If poppassd can't run as a daemon and bind to a specific interface or IP itself (and must run under inetd), then I'd recommend replacing inetd on your systems with xinetd -- which does offer per-service per-interface binding (inetd offers interface binding via the -a flag, but for all services). Simple security rule: do not bind to an interface or IP which you do not want to receive (insert-service-here) packets via. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. |
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060512231648.GA63826>