On 07/22/11 19:51, Nathan Gibbs wrote: > On 7/22/2011 5:46 PM, Chuck Swiger wrote: >> On Jul 22, 2011, at 2:39 PM, Nathan Gibbs wrote: >>> Does clamd have any form of network access control? For instance >>> limiting what IP's can connect. >> >> By default, you're either using a local Unix domain socket associated >> with a path like /var/run/clamav/clamd, or a TCP socket bound to >> localhost aka 127.0.0.1. If you change things to bind to a routable >> IP, then you should implement appropriate firewall rules to manage >> access to clamd. >> > > Right, Firewalls should be the first line of defense. > > Now if somebody did set clamd up to bind to a routable IP and > misconfigured the firewall > :-( > or God forbid didn't have a firewall. > :-0 > or, say the firewalls are configured to policy, and a hired pen tester, > or rogue employee who has access to the network, decides to mess with clamd. > ]:-> > > Then what?
Rather than duplicate our network restrictions in every daemon, we just use Nagios (which we were already running) to make sure that no services are "accidentally" opened to the outside. It can easily be configured to spew alerts when a service comes up. Granted, it's still duplication, but it's limited to two places instead of iptables and every other conf file. _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
