FreeBSD Port: poppassd-4.0_2
Jeremy Chadwick
freebsd at jdc.parodius.com
Fri May 12 23:16:49 UTC 2006
On Fri, May 12, 2006 at 11:49:15PM +0100, Andrew wrote:
> On 12/05/2006, at 9:51 PM, Sean Murphy wrote:
> >is there anyway to restrict this daemon to listen only on 127.0.0.1
> >local host?
>
> poppassd is called by inetd so thats where you need to look. The
> easiest method would probably be to use tcp wrappers. See the inetd man
> page for details but basically run inetd with -w and edit
> /etc/hosts.allow.
tcpwrappers should not be relied upon in any way shape or form for
security. Application-level IP checking should only be used as a
last resort. Why? Because for tcpwrappers to work, the client has
to already have an established TCP or UDP socket. By then it's too
late -- the socket has already been established, which means the
attacker, at a bare minimum, knows what service(s) you're running on
your machine. Not good. :-)
If poppassd can't run as a daemon and bind to a specific interface or
IP itself (and must run under inetd), then I'd recommend replacing
inetd on your systems with xinetd -- which does offer per-service
per-interface binding (inetd offers interface binding via the -a flag,
but for all services).
Simple security rule: do not bind to an interface or IP which you do
not want to receive (insert-service-here) packets via.
--
| Jeremy Chadwick jdc at parodius.com |
| Parodius Networking http://www.parodius.com/ |
| UNIX Systems Administrator Mountain View, CA, USA |
| Making life hard for others since 1977. |
More information about the freebsd-ports
mailing list