Hi, > In the same way, imho, securing the livestatus module socket > should be thought about (for example limiting hosts/IP that > can send requests), against malveillant users that could send > external commands or malformed requests (DoS). that's true, but i don't think this belongs into the Shinken code. Why not delegate the protection to a very low level, iptables or Windows firewall? If an admin sets up a distributed monitoring system, he should easily have another 10 minutes to think about some firewall rules. This way, the threat is blocked with less impact on the Shinken processes. Because if, for example i implement an access list for the livestatus broker, it still has to handle the connections (established connections, where iptables throws away the first syn-packet). If there are lots of connections/sec the broker is busy filtering the bad ones and throwing them away instead of handling the good ones.
Gerhard ------------------------------------------------------------------------------ Protect Your Site and Customers from Malware Attacks Learn about various malware tactics and how to avoid them. Understand malware threats, the impact they can have on your business, and how you can protect your company and customers by using code signing. http://p.sf.net/sfu/oracle-sfdevnl _______________________________________________ Shinken-devel mailing list Shinken-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shinken-devel
