Is avahi-daemon a security risk?

[Bpralle]

Hello everyone, im usualy pretty good about finding what information I need by searching. I have been unable to find anything that will give me a strait answer on if avahi is a possible security issue, or how I can disable the daemon.

Thanks in advance for all replys.

[caf4926]

Let me google that for you

[Bpralle]

Yeah...

Thats why I normaly dont ask questions on open source forums, it's always the same response. Thanks for nothing, im sure you just assumed I am another luser who is to lazy to search on his own.

[caf4926]

Yast - System - System Runlevel services

But I can't for the life of think why you want to disable it.

[Bpralle]

Well from what I read about it, I honestly did not think I would ever use it. From what I understand it would only be useful if I was trying to connect with other machines on my lan, if I am wrong please correct me. I don't plan on having to network this comp with any of the others for a while. I figured it would be better turned off if im not using it.

Sorry about the previous post, I can be a little short sometimes. I might have missed what I was looking for, all of this new tech speak is taking a while to learn.

[caf4926]

From what I understand it's integration in the Desktop Environment in both Gnome and KDE might mean issues if you take it out. But I don't have sufficient knowledge on the matter.

[smpoole7]

Caf,

Just for the record, I'm totally opposed to that Avahi **** being turned on by default. It supposedly makes it easier for zero-configuration networking, but I DO see it as a security risk. If I'm on a small network with friends, maybe it's not a big deal, but there's no way on earth I'm going to expose that junk when I'm browsing at a WiFi hotspot, or when I'm in a motel room on the road.

The bad thing is that some firewalls (not sure about Suse's, but I know RedHat/CentOS's does this) opens the mDNS ports without even telling you, and without providing any easy or intuitive way to block them. I found out the hard way that with CentOS, if you have a server with two NICs, one exposed to the Web and another exposed internally, their default firewall will open IPP and mDNS to the entire Internet(!!!). That's just insane, in my humble opinion.

I'm certainly not fussing at you, by the way. I'm very impolitely using your head as a soapbox. I'll climb back down and quit yelling in a moment.

To me, this falls under the general security heading of, "if you don't need it, don't enable it." The fact that there are some KDE and Gnome services that balk if mDNS/Avahi is missing is also dumb. (Or for that matter, Bluetooth services and a host of others that we won't get into here.)

I know what the goal is: it's to make Linux as easy to use as possible, especially for new users who might be migrating from Mac or Windows. But I personally hate to see this "Window-ization" of Linux. Avahi/mDNS is by no means the only offender.

[smpoole7]

Quote:

Originally Posted by Bpralle

Hello everyone, im usualy pretty good about finding what information I need by searching. I have been unable to find anything that will give me a strait answer on if avahi is a possible security issue, or how I can disable the daemon.

Thanks in advance for all replys.

I have it disabled on my system. OpenSUSE isn't as anal about it as some -- I've seen some distributions that will silently re-enable it without telling you, they're so determined that you need it.

Unless you're on a network that requires it, you should disable it, in my opinion. If you have problems (strange errors in KDE or Gnome, for example), re-enable it, but block that port in the firewall.

There's a decent article about the Avahi variant of ZeroConf on Wikipedia, by the way. Avahi (software) - Wikipedia, the free encyclopedia

[caf4926]

@smpoole7
Thank you for that explanation and it is no problem that you stand on my head to do it. I admit my limitations and this is one. I'm sure the OP will be interested in your comments.

Bpralle wrote:

> Hello everyone, im usualy pretty good about finding what information I
> need by searching. I have been unable to find anything that will give
> me a strait answer on if avahi is a possible security issue, or how I
> can disable the daemon.

Is not a security issue "per se" but as any enabled service in your system,
it can be exploited.

I've also disabled the service (yast / services / runlevel editor) to
prevent starting on every boot.

Greetings,

--
Camaleón