Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#746586: minissdpd listens on all interfaces even when configured not to
53 views
Skip to first unread message
Dave Rutherford
May 1, 2014, 1:00:02 PM5/1/14
to
Package: minissdpd
Version: 1.1.20120121-1
Severity: normal
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Tiger automatic auditing software alerted me that minissdpd was listening
on all network interfaces in the default configuration. I modified
the config to specify the IP address of the interface to listen on,
but Tiger still reports that minissdpd is listening everywhere. I only
realized this after seeing attempts in my syslog by hackers probing the
socket; obviously this service ought not to be listening on my Internet
interface. But closing it in the obvious way didn't work.
I did verify that minissdpd was running with the correct options:
$ ps axl|grep minissdpd|grep -v grep
1 0 12411 1 20 0 3952 84 - Ss ? 0:00 /usr/sbin/minissdpd -i 192.168.0.44
Tiger's report:
# Checking listening processes
NEW: --WARN-- [lin002i] The process `minissdpd' is listening on socket 1900 (UDP) on every interface.
- -- System Information:
Debian Release: 7.4
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash
Versions of packages minissdpd depends on:
ii libc6 2.13-38+deb7u1
minissdpd recommends no packages.
minissdpd suggests no packages.
- -- Configuration Files:
/etc/default/minissdpd changed:
START_DAEMON=1
MiniSSDPd_INTERFACE_ADDRESS=192.168.0.44
- -- no debconf information
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEARECAAYFAlNibMEACgkQnN+41NpzKveWrQCeOpB72U5TlFvEBDn//uBlj2Fq
fy0An16U0DlpAarxpMLQmdg8nDiHdHUd
=QYYk
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to debian-bugs-...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Version: 1.1.20120121-1
Severity: normal
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Tiger automatic auditing software alerted me that minissdpd was listening
on all network interfaces in the default configuration. I modified
the config to specify the IP address of the interface to listen on,
but Tiger still reports that minissdpd is listening everywhere. I only
realized this after seeing attempts in my syslog by hackers probing the
socket; obviously this service ought not to be listening on my Internet
interface. But closing it in the obvious way didn't work.
I did verify that minissdpd was running with the correct options:
$ ps axl|grep minissdpd|grep -v grep
1 0 12411 1 20 0 3952 84 - Ss ? 0:00 /usr/sbin/minissdpd -i 192.168.0.44
Tiger's report:
# Checking listening processes
NEW: --WARN-- [lin002i] The process `minissdpd' is listening on socket 1900 (UDP) on every interface.
- -- System Information:
Debian Release: 7.4
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash
Versions of packages minissdpd depends on:
ii libc6 2.13-38+deb7u1
minissdpd recommends no packages.
minissdpd suggests no packages.
- -- Configuration Files:
/etc/default/minissdpd changed:
START_DAEMON=1
MiniSSDPd_INTERFACE_ADDRESS=192.168.0.44
- -- no debconf information
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEARECAAYFAlNibMEACgkQnN+41NpzKveWrQCeOpB72U5TlFvEBDn//uBlj2Fq
fy0An16U0DlpAarxpMLQmdg8nDiHdHUd
=QYYk
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to debian-bugs-...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Yangfl
Feb 23, 2018, 7:40:03 AM2/23/18
to
Hi,
In config.h:
/* Uncomment the following line in order to make minissdpd
* listen on 1.2.3.4:1900 instead of *:1900
* Note : it prevents broadcast packets to be received,
* at least with linux */
/*#define SSDP_LISTEN_ON_SPECIFIC_ADDR*/
It should be OK to enable such option since UPnP actually use
multicast. However there might be some broken clients sending
broadcast.
zigo, what's your opinion?
In config.h:
/* Uncomment the following line in order to make minissdpd
* listen on 1.2.3.4:1900 instead of *:1900
* Note : it prevents broadcast packets to be received,
* at least with linux */
/*#define SSDP_LISTEN_ON_SPECIFIC_ADDR*/
It should be OK to enable such option since UPnP actually use
multicast. However there might be some broken clients sending
broadcast.
zigo, what's your opinion?
miniupnp
Feb 23, 2018, 9:10:03 AM2/23/18
to
Hello,
Indeed minissdpd does bind() the socket on *:1900 but adds membership (join group for IPv6) to the multicast group 239.255.255.250 (FF02::C, FF05::C) only on the specified interface(s).
https://github.com/miniupnp/miniupnp/blob/master/minissdpd/openssdpsocket.c#L105
Then, the first thing done when a packet is received is to check the interface and or the peer address :
https://github.com/miniupnp/miniupnp/blob/master/minissdpd/minissdpd.c#L629
Non matching packets are dropped.
Binding on a specific address may or may not work properly depending on the way the OS implements IP Multicast.
it can be enabled at compile time but was disabled for incompatibilities reasons (afair)
Regards,
Thomas
Indeed minissdpd does bind() the socket on *:1900 but adds membership (join group for IPv6) to the multicast group 239.255.255.250 (FF02::C, FF05::C) only on the specified interface(s).
https://github.com/miniupnp/miniupnp/blob/master/minissdpd/openssdpsocket.c#L105
Then, the first thing done when a packet is received is to check the interface and or the peer address :
https://github.com/miniupnp/miniupnp/blob/master/minissdpd/minissdpd.c#L629
Non matching packets are dropped.
Binding on a specific address may or may not work properly depending on the way the OS implements IP Multicast.
it can be enabled at compile time but was disabled for incompatibilities reasons (afair)
Regards,
Thomas
miniupnp
Feb 23, 2018, 10:00:04 AM2/23/18
to
As far as I know, the bind() address for UDP socket is used as a "filter
address" :
* Binding to the interface address (192.168.0.1) prevent multicast SSDP
packets to be received (they are sent to 239.255.255.250)
* Binding to 239.255.255.250 prevents SSDP unicast packets to be
received as they are sent to 192.168.0.1
anyway binding to 239.255.255.250 wont change the interface miniSSDPd is
listening on...
The only solution is to bind to ANY, MiniSSDPd then does a packet
filtering on each received packet,
dropping them if they have wrong receiving interface or wrong sender.
Anyway, for better security, one should use iptables to prevent any
traffic to come from the internet on UDP port 1900 !
Thomas Bernard
0 new messages