From: Nicolai L. <ja...@li...> - 2006-10-26 07:17:05
|
Magnus Larsson wrote: > Hi! > > I have Munin installed on a web server (debian sarge installation), to > monitor the server's disks, system etc. It does not monitor any other > machines, just this localhost. My question now is about how much of a > security risk this is. It seems that port 4949 is open, even though I > have set munin.conf to only listen to localhost (127.0.0.1). "Open" > means that on a portscan, the network administrators on my university > gets a hit on 4949 without any information about what server there is. Munin-node does not bind any specific address, therefore it listens on all ip interfaces. When you in munin-node.conf say this: allow ^127\.0\.0\.1$ it is a ip-access list. So even if the port completes a SYN/ACK handshake the server will not respond to any commands. > So: is it a vulnerability to leave it this way? Or is there a way to This leads to two answers: 1. Not really 2. Yes it's silly It will be fixed, we have bugs for both the listen address of munin-node and the origin address of munin-update. > shut this port down from the network, by changing configuration of > munin? Or should I configure iptables to shut it down? Using iptables to make the port unavailable would work. Also note that the web URLs that munin live at are also not protected. This has been fixed in 1.3.3rc that I work on now. Nicolai |