[Openvas-devel] Listen only on local interface by default?
Michael Wiegand
michael.wiegand at greenbone.net
Mon Feb 14 10:54:32 CET 2011
Am Montag, 14. Februar 2011 08:35:42 schrieb Chandrashekhar B:
> > Many packagers start the OpenVAS services with "--listen=127.0.0.1" to
> > make
> > them listen on the local interface only, which seems like a sensible
> > choice
> > to me for the basic usage of a single user on a single machine. And even
> > if
> > you want to access you installation from another machine, you will most
> > likely only want to expose either GSA (HTTPS) or Manager (OMP).
>
> What about IPv6 interface? We need ::1 also.
Right now, the daemons listen to one interface only anyway, with IPv4 being
the default.
I'd rather leave IPv4 the default until listening on multiple infaces has been
properly implemented in all daemons because it is hard to guess without
additional information; nowadays, most kernels support IPv6, while most
environments are still IPv4.
> I am wondering, if someone is
> only using server and client and not through GSA?
I think in the most likely case for new users they will have Scanner and
Client on the same machine, so this should work.
Once they become more experienced and want to have their installation
distributed, they will find out how to use the --listen parameter.
I'd rather have an intermediate or experienced user spend five minutes reading
the documentation than have an inexperienced user exposing his Scanner to the
whole network or the whole world, possibly with a weak password.
> > I would propose changing the default behaviour to listening on the local
> > interface only.
>
> How about a post-installation step where you ask the user what should be
> the default behavior?
This should be left to the packagers IMHO. They are of course free to set the
parameters in their init files to whatever they see as reasonable.
Regards,
Michael
--
Michael Wiegand | Greenbone Networks GmbH | http://www.greenbone.net/
Neuer Graben 17, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Executive Directors: Lukas Grunwald, Dr. Jan-Oliver Wagner
More information about the Openvas-devel
mailing list