You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
124 lines
4.4 KiB
124 lines
4.4 KiB
<HTML>
|
|
<!-- SECTION: Getting Started -->
|
|
<HEAD>
|
|
<TITLE>Server Security</TITLE>
|
|
<LINK REL="STYLESHEET" TYPE="text/css" HREF="../cups-printable.css">
|
|
</HEAD>
|
|
<BODY>
|
|
|
|
<H1 CLASS="title">Server Security</H1>
|
|
|
|
<P>In the default "standalone" configuration, there are few
|
|
potential security risks - the CUPS server does not accept remote
|
|
connections, and only accepts shared printer information from the
|
|
local subnet. When you share printers and/or enable remote
|
|
administration, you expose your system to potential unauthorized
|
|
access. This help page provides an analysis of possible CUPS
|
|
security concerns and describes how to better secure your
|
|
server.</P>
|
|
|
|
<H2 CLASS="title"><A NAME="AUTHENTICATION">Authentication Issues</A></H2>
|
|
|
|
<P>When you enable remote administration, the server will use Basic authentication for administration tasks. The current CUPS server supports Basic, Kerberos, and local certificate authentication:</P>
|
|
|
|
<OL>
|
|
|
|
<LI>Basic authentication essentially places the clear
|
|
text of the username and password on the network.
|
|
|
|
<P>Since CUPS uses the system username and password
|
|
account information, the authentication information could
|
|
be used to gain access to possibly privileged accounts on
|
|
the server.</P>
|
|
|
|
<P><B>Recommendation:</B> Enable encryption to hide the
|
|
username and password information - this is the default on
|
|
macOS and systems with GNU TLS installed.</P></LI>
|
|
|
|
<LI>Local certificate authentication passes 128-bit
|
|
"certificates" that identify an authenticated user.
|
|
Certificates are created on-the-fly from random data and
|
|
stored in files under <VAR>/var/run/cups/certs</VAR>.
|
|
They have restricted read permissions: root +
|
|
system-group(s) for the root certificate, and lp + lp
|
|
for CGI certificates.
|
|
|
|
<P>Because certificates are only available on the local
|
|
system, the CUPS server does not accept local
|
|
authentication unless the client is connected to the
|
|
loopback interface (127.0.0.1 or ::1) or domain
|
|
socket.</P>
|
|
|
|
<P><B>Recommendation:</B> Ensure that unauthorized users
|
|
are not added to the system group(s).</P></LI>
|
|
|
|
</OL>
|
|
|
|
<H2 CLASS="title"><A NAME="DOS">Denial of Service Attacks</A></H2>
|
|
|
|
<P>When printer sharing or remote administration is enabled, the
|
|
CUPS server, like all Internet services, is vulnerable to a
|
|
variety of denial of service attacks:</P>
|
|
|
|
<OL>
|
|
|
|
<LI>Establishing multiple connections to the server until
|
|
the server will accept no more.
|
|
|
|
<P>This cannot be protected against by any known
|
|
software. The <CODE>MaxClientsPerHost</CODE> directive
|
|
can be used to configure CUPS to limit the number of
|
|
connections allowed from a single host, however that does
|
|
not prevent a distributed attack.</P>
|
|
|
|
<P><B>Recommendation:</B> Limit access to trusted systems
|
|
and networks.</P></LI>
|
|
|
|
<LI>Repeatedly opening and closing connections to the
|
|
server as fast as possible.
|
|
|
|
<P>There is no easy way of protecting against this in the
|
|
CUPS software. If the attack is coming from outside the
|
|
local network, it may be possible to filter such an
|
|
attack. However, once the connection request has been
|
|
received by the server it must at least accept the
|
|
connection to find out who is connecting.</P>
|
|
|
|
<P><B>Recommendation:</B> None.</P></LI>
|
|
|
|
<LI>Sending partial IPP requests; specifically, sending
|
|
part of an attribute value and then stopping
|
|
transmission.
|
|
|
|
<P>The current code will wait up to 1 second before
|
|
timing out the partial value and closing the connection.
|
|
This will slow the server responses to valid requests and
|
|
may lead to dropped browsing packets, but will otherwise
|
|
not affect the operation of the server.</P>
|
|
|
|
<P><B>Recommendation:</B> Block IPP packets from foreign
|
|
or untrusted networks using a router or
|
|
firewall.</P></LI>
|
|
|
|
<LI>Sending large/long print jobs to printers, preventing
|
|
other users from printing.
|
|
|
|
<P>There are limited facilities for protecting against
|
|
large print jobs (the <CODE>MaxRequestSize</CODE>
|
|
attribute), however this will not protect printers from
|
|
malicious users and print files that generate hundreds or
|
|
thousands of pages.</P>
|
|
|
|
<P><B>Recommendation:</B> Restrict printer access to
|
|
known hosts or networks, and add user-level access
|
|
controls as needed for expensive printers.</P></LI>
|
|
|
|
</OL>
|
|
|
|
<H2 CLASS="title"><A NAME="ENCRYPTION">Encryption Issues</A></H2>
|
|
|
|
<P>CUPS supports 128-bit TLS encryption of network connections via the GNU TLS library, macOS Security framework, and Windows Schannel APIs. Secure deployment of TLS depends on proper certificate management and software maintenance.</P>
|
|
|
|
</BODY>
|
|
</HTML>
|