Package: darkstat
Version: 3.0.721-2
Severity: normal
X-Debbugs-Cc: [email protected]

When started with no extra arguments other than required -i INTERFACE,
it default to listening on 0.0.0.0 and [::] port 667.

I do not think that is very secure, especially as [::] could easily be
publicly accessible, as does 0.0.0.0 from untrusted networks, and even 
without exploits darkstat could easily disclose a lot of information
including personal and private data.

It is too easy to misuse or misconfigure.

With -b option it is not quite possible to bind back to both ipv4 and
ipv6 either.

/etc/darkstat/init.cfg  does show example of binding to 127.0.0.1, but
it is commented out. Plus there is no way to listen on both 127.0.0.1
and ::1 afaik.

So not only this config should be improved, but also command should
improve to only listen on localhost (127.0.0.1 and ::1) by default (with
no -b option).

Also confusingly, init.cfg suggests it is listening on port 666, but in
fact it is 667 by default.

-- System Information:
Debian Release: 13.0
  APT prefers testing-debug
  APT policy: (500, 'testing-debug'), (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.16.0-rc1 (SMP w/32 CPU threads; PREEMPT)
Kernel taint flags: TAINT_CPU_OUT_OF_SPEC, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages darkstat depends on:
ii  debconf [debconf-2.0]  1.5.91
ii  init-system-helpers    1.68
ii  libc6                  2.41-8
ii  libpcap0.8t64          1.10.5-2
ii  zlib1g                 1:1.3.dfsg+really1.3.1-1+b1

darkstat recommends no packages.

darkstat suggests no packages.

-- debconf information excluded

Reply via email to