On 08.01.2010 16:56, Manuel Reimer wrote:
> -------- Original-Nachricht --------
>> Datum: Fri, 08 Jan 2010 14:57:12 +0100
>> Von: Klaus Schmidinger <klaus.schmidin...@tvdr.de>
>> An: VDR Mailing List <firstname.lastname@example.org>
>> Betreff: Re: [vdr] [Patch] Allow to limit SVDRP port to given IP
>> What about svdrphosts.conf?
> It just denies someone to access. The port is still available, accessible and
> in worst case also attackable. IIRC it is even required to accept the
> connection at first, to find out the IP of the computer, which tries to
> access and then to drop the connection in a second step. IMHO the better way,
> from the security standpoint, is to get the port closed, so a potential
> attacker isn't able to get to it at all. Most other daemons, which open
> ports, allow such configuration, like cups, apache and others.
> svdrphosts.conf, of course, still is needed for fine-configuration of allowed
> hosts (other daemons also have this), but limiting the port to localhost
> would be the better alternative to just disabling svdrp by setting the port
> to zero, as currently recommended in the INSTALL file. If someone wants to
> configure his system to have a minimum of ports opened to the outside world
> (like me), then *disabling* svdrp is never a good solution, as this breaks
> scripts and other external features.
> The only thing, I'm unsure about, is, if we really need to specify an IP. A
> simple switch like "--svdrp-localhost" (or similar) would also do the job.
> But my first solution has the advantage, that there is no additional switch
How about this: if svdrphosts.conf contains only one single IP number, then
open the port for only that IP number. Otherwise i needs to be opened generally,
BTW: please don't CC: me - I am subscribed to the list ;-)
vdr mailing list