Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Is avahi-daemon a security risk?

  1. #1
    Bpralle NNTP User

    Default Is avahi-daemon a security risk?

    Hello everyone, im usualy pretty good about finding what information I need by searching. I have been unable to find anything that will give me a strait answer on if avahi is a possible security issue, or how I can disable the daemon.

    Thanks in advance for all replys.

  2. #2
    Join Date
    Jun 2008
    Location
    The English Lake District. UK - GMT/BST
    Posts
    36,857
    Blog Entries
    20

    Default Re: Is avahi-daemon a security risk?

    Tumbleweed_KDE
    My Articles Was I any help? If yes: Click the star below

  3. #3
    Bpralle NNTP User

    Thumbs up Re: Is avahi-daemon a security risk?

    Yeah...

    Thats why I normaly dont ask questions on open source forums, it's always the same response. Thanks for nothing, im sure you just assumed I am another luser who is to lazy to search on his own.

  4. #4
    Join Date
    Jun 2008
    Location
    The English Lake District. UK - GMT/BST
    Posts
    36,857
    Blog Entries
    20

    Default Re: Is avahi-daemon a security risk?

    Yast - System - System Runlevel services

    But I can't for the life of think why you want to disable it.
    Tumbleweed_KDE
    My Articles Was I any help? If yes: Click the star below

  5. #5
    Bpralle NNTP User

    Default Re: Is avahi-daemon a security risk?

    Well from what I read about it, I honestly did not think I would ever use it. From what I understand it would only be useful if I was trying to connect with other machines on my lan, if I am wrong please correct me. I don't plan on having to network this comp with any of the others for a while. I figured it would be better turned off if im not using it.

    Sorry about the previous post, I can be a little short sometimes. I might have missed what I was looking for, all of this new tech speak is taking a while to learn.

  6. #6
    Join Date
    Jun 2008
    Location
    The English Lake District. UK - GMT/BST
    Posts
    36,857
    Blog Entries
    20

    Default Re: Is avahi-daemon a security risk?

    From what I understand it's integration in the Desktop Environment in both Gnome and KDE might mean issues if you take it out. But I don't have sufficient knowledge on the matter.
    Tumbleweed_KDE
    My Articles Was I any help? If yes: Click the star below

  7. #7
    Join Date
    Oct 2008
    Location
    Birmingham. AL
    Posts
    858

    Default Re: Is avahi-daemon a security risk?

    Caf,

    Just for the record, I'm totally opposed to that Avahi **** being turned on by default. It supposedly makes it easier for zero-configuration networking, but I DO see it as a security risk. If I'm on a small network with friends, maybe it's not a big deal, but there's no way on earth I'm going to expose that junk when I'm browsing at a WiFi hotspot, or when I'm in a motel room on the road.

    The bad thing is that some firewalls (not sure about Suse's, but I know RedHat/CentOS's does this) opens the mDNS ports without even telling you, and without providing any easy or intuitive way to block them. I found out the hard way that with CentOS, if you have a server with two NICs, one exposed to the Web and another exposed internally, their default firewall will open IPP and mDNS to the entire Internet(!!!). That's just insane, in my humble opinion.

    I'm certainly not fussing at you, by the way. I'm very impolitely using your head as a soapbox. I'll climb back down and quit yelling in a moment.

    To me, this falls under the general security heading of, "if you don't need it, don't enable it." The fact that there are some KDE and Gnome services that balk if mDNS/Avahi is missing is also dumb. (Or for that matter, Bluetooth services and a host of others that we won't get into here.)

    I know what the goal is: it's to make Linux as easy to use as possible, especially for new users who might be migrating from Mac or Windows. But I personally hate to see this "Window-ization" of Linux. Avahi/mDNS is by no means the only offender.

  8. #8
    Join Date
    Oct 2008
    Location
    Birmingham. AL
    Posts
    858

    Default Re: Is avahi-daemon a security risk?

    Quote Originally Posted by Bpralle View Post
    Hello everyone, im usualy pretty good about finding what information I need by searching. I have been unable to find anything that will give me a strait answer on if avahi is a possible security issue, or how I can disable the daemon.

    Thanks in advance for all replys.
    I have it disabled on my system. OpenSUSE isn't as anal about it as some -- I've seen some distributions that will silently re-enable it without telling you, they're so determined that you need it.

    Unless you're on a network that requires it, you should disable it, in my opinion. If you have problems (strange errors in KDE or Gnome, for example), re-enable it, but block that port in the firewall.

    There's a decent article about the Avahi variant of ZeroConf on Wikipedia, by the way. Avahi (software) - Wikipedia, the free encyclopedia

  9. #9
    Join Date
    Jun 2008
    Location
    The English Lake District. UK - GMT/BST
    Posts
    36,857
    Blog Entries
    20

    Default Re: Is avahi-daemon a security risk?

    @smpoole7
    Thank you for that explanation and it is no problem that you stand on my head to do it. I admit my limitations and this is one. I'm sure the OP will be interested in your comments.
    Tumbleweed_KDE
    My Articles Was I any help? If yes: Click the star below

  10. #10
    Camalen NNTP User

    Default Re: Is avahi-daemon a security risk?

    Bpralle wrote:

    > Hello everyone, im usualy pretty good about finding what information I
    > need by searching. I have been unable to find anything that will give
    > me a strait answer on if avahi is a possible security issue, or how I
    > can disable the daemon.


    Is not a security issue "per se" but as any enabled service in your system,
    it can be exploited.

    I've also disabled the service (yast / services / runlevel editor) to
    prevent starting on every boot.

    Greetings,

    --
    Camalen

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •