-------- Original-Nachricht --------
> Datum: Fri, 08 Jan 2010 14:57:12 +0100
> Von: Klaus Schmidinger <klaus.schmidin...@tvdr.de>
> An: VDR Mailing List <vdr@linuxtv.org>
> Betreff: Re: [vdr] [Patch] Allow to limit SVDRP port to given IP

> What about svdrphosts.conf?

It just denies someone to access. The port is still available, accessible and 
in worst case also attackable. IIRC it is even required to accept the 
connection at first, to find out the IP of the computer, which tries to access 
and then to drop the connection in a second step. IMHO the better way, from the 
security standpoint, is to get the port closed, so a potential attacker isn't 
able to get to it at all. Most other daemons, which open ports, allow such 
configuration, like cups, apache and others.

svdrphosts.conf, of course, still is needed for fine-configuration of allowed 
hosts (other daemons also have this), but limiting the port to localhost would 
be the better alternative to just disabling svdrp by setting the port to zero, 
as currently recommended in the INSTALL file. If someone wants to configure his 
system to have a minimum of ports opened to the outside world (like me), then 
*disabling* svdrp is never a good solution, as this breaks scripts and other 
external features.

The only thing, I'm unsure about, is, if we really need to specify an IP. A 
simple switch like "--svdrp-localhost" (or similar) would also do the job. But 
my first solution has the advantage, that there is no additional switch needed.

Yours

Manuel
-- 
()  ascii ribbon campaign - against html mail
/\                        - gegen HTML-Mail
answers as html mail will be deleted automatically!
Antworten als HTML-Mail werden automatisch gelöscht!

GRATIS für alle GMX-Mitglieder: Die maxdome Movie-FLAT!
Jetzt freischalten unter http://portal.gmx.net/de/go/maxdome01

_______________________________________________
vdr mailing list
vdr@linuxtv.org
http://www.linuxtv.org/cgi-bin/mailman/listinfo/vdr

Reply via email to