On 7/22/2011 8:11 PM, Chuck Swiger wrote: > On Jul 22, 2011, at 4:51 PM, Nathan Gibbs wrote: >> On 7/22/2011 5:46 PM, Chuck Swiger wrote: >>> On Jul 22, 2011, at 2:39 PM, Nathan Gibbs wrote: >>>> Does clamd have any form of network access control? For >>>> instance limiting what IP's can connect. >>> >>> By default, you're either using a local Unix domain socket >>> associated with a path like /var/run/clamav/clamd, or a TCP >>> socket bound to localhost aka 127.0.0.1. If you change things to >>> bind to a routable IP, then you should implement appropriate >>> firewall rules to manage access to clamd. >> >> Right, Firewalls should be the first line of defense. > > Actually, not running insecure software is better than trying to > defend vulnerable software.
Agreed, which could be a problem for clamd. > If your network is only secure because > of the firewall, you're actually highly vulnerable to situations > where a route around the firewall is added-- say someone adds a > wireless access point (or connects a compromised laptop with > wireless) to the network. > Or already has access because they are behind the firewall. >> Then what? > All your clamds are potentially baked. > Then you find someone more qualified to deploy and secure > Internet-accessible services. > What about intranet facing services? > Clamd will be remotely accessible, constituting easy DoS potential of > the scanner Correct. >> Does clamd support tcpwrappers? > > It looks like clamav-milter does, but not clamd itself. H'mm, for now it looks like firewalls are the only defense when you bind clamd to an IP address. To the point. Clam Bake A tool that enumerates and optionally shuts down instances of the Clam Antivirus service on a network. Download Freely. Enjoy thoroughly. Use Responsibly. http://www.cmpublishers.com/oss/#clambake I thought of this issue back in 2005 or 2006, and figured it would have been addressed by now. -- Sincerely, Nathan Gibbs Systems Administrator Christ Media http://www.cmpublishers.com
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
