Security Concerns about the nsca daemon

Marc Haber mh+nagios-devel at zugschlus.de
Wed Feb 22 11:16:46 CET 2006


On Wed, Feb 22, 2006 at 11:08:30AM +0100, Andreas Ericsson wrote:
> Marc Haber wrote:
> >And while we're at it, nsca should use tcp-wrappers itself so that it
> >can be tcp wrapped without having to add inetd to possible attack
> >vectors.
> 
> Nopes. I could implement some basic tcp-wrappers-like thing in the nsca 
> core, but I won't make it use tcp-wrappers.

Why? linking against libwrap is quite easy, I am told. Most programs I
am aware of control libwrap linking via ./configure option, so that
feature could be turned off if undesired.

> It'd be much better to do 
> some simple firewalling anyway.

That's be one more line of defense. tcp wrappers can do much more than
simple filtering, such as logging ident and/or allowing access
depending on ident answer.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835


-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642




More information about the Developers mailing list