On Jul 22, 2011, at 4:51 PM, Nathan Gibbs wrote: > On 7/22/2011 5:46 PM, Chuck Swiger wrote: >> On Jul 22, 2011, at 2:39 PM, Nathan Gibbs wrote: >>> Does clamd have any form of network access control? For instance >>> limiting what IP's can connect. >> >> By default, you're either using a local Unix domain socket associated >> with a path like /var/run/clamav/clamd, or a TCP socket bound to >> localhost aka 127.0.0.1. If you change things to bind to a routable >> IP, then you should implement appropriate firewall rules to manage >> access to clamd. > > Right, Firewalls should be the first line of defense.
Actually, not running insecure software is better than trying to defend vulnerable software. If your network is only secure because of the firewall, you're actually highly vulnerable to situations where a route around the firewall is added-- say someone adds a wireless access point (or connects a compromised laptop with wireless) to the network. > Now if somebody did set clamd up to bind to a routable IP and > misconfigured the firewall > :-( > or God forbid didn't have a firewall. > :-0 > or, say the firewalls are configured to policy, and a hired pen tester, > or rogue employee who has access to the network, decides to mess with clamd. > ]:-> > > Then what? Then you find someone more qualified to deploy and secure Internet-accessible services. Clamd will be remotely accessible, constituting easy DoS potential of the scanner and offering the possibility of a remote exploit with the permissions that clamd runs as, although the ClamAV folks do fix known exploits and have mechanisms in place to block new exploits, either by adding a raw signature that matches the exploit before the vulnerable module sees it, or by disabling the buggy module via daily CVD updates. >> (tcpwrappers is a possible solution, but many platforms also have >> IPFW, PF, or similar available.) >> > > Does clamd support tcpwrappers? It looks like clamav-milter does, but not clamd itself. > Are there any other access control mechanisms. Yes. Regards, -- -Chuck _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
