Package: darkstat Version: 3.0.721-2 Severity: normal X-Debbugs-Cc: [email protected]
When started with no extra arguments other than required -i INTERFACE, it default to listening on 0.0.0.0 and [::] port 667. I do not think that is very secure, especially as [::] could easily be publicly accessible, as does 0.0.0.0 from untrusted networks, and even without exploits darkstat could easily disclose a lot of information including personal and private data. It is too easy to misuse or misconfigure. With -b option it is not quite possible to bind back to both ipv4 and ipv6 either. /etc/darkstat/init.cfg does show example of binding to 127.0.0.1, but it is commented out. Plus there is no way to listen on both 127.0.0.1 and ::1 afaik. So not only this config should be improved, but also command should improve to only listen on localhost (127.0.0.1 and ::1) by default (with no -b option). Also confusingly, init.cfg suggests it is listening on port 666, but in fact it is 667 by default. -- System Information: Debian Release: 13.0 APT prefers testing-debug APT policy: (500, 'testing-debug'), (500, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 6.16.0-rc1 (SMP w/32 CPU threads; PREEMPT) Kernel taint flags: TAINT_CPU_OUT_OF_SPEC, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) Versions of packages darkstat depends on: ii debconf [debconf-2.0] 1.5.91 ii init-system-helpers 1.68 ii libc6 2.41-8 ii libpcap0.8t64 1.10.5-2 ii zlib1g 1:1.3.dfsg+really1.3.1-1+b1 darkstat recommends no packages. darkstat suggests no packages. -- debconf information excluded

