1<HTML> 2<!-- SECTION: Getting Started --> 3<HEAD> 4 <TITLE>Server Security</TITLE> 5 <LINK REL="STYLESHEET" TYPE="text/css" HREF="/cups-printable.css"> 6</HEAD> 7<BODY> 8 9<H1 CLASS="title">Server Security</H1> 10 11<P>In the default "standalone" configuration, there are few 12potential security risks - the CUPS server does not accept remote 13connections, and only accepts shared printer information from the 14local subnet. When you share printers and/or enable remote 15administration, you expose your system to potential unauthorized 16access. This help page provides an analysis of possible CUPS 17security concerns and describes how to better secure your 18server.</P> 19 20<H2 CLASS="title"><A NAME="AUTHENTICATION">Authentication Issues</A></H2> 21 22<P>When you enable remote administration, the server will use 23Basic authentication for administration tasks. The current CUPS 24server supports Basic, Digest, Kerberos, and local certificate 25authentication:</P> 26 27<OL> 28 29 <LI>Basic authentication essentially places the clear 30 text of the username and password on the network. 31 32 <P>Since CUPS uses the system username and password 33 account information, the authentication information could 34 be used to gain access to possibly privileged accounts on 35 the server.</P> 36 37 <P><B>Recommendation:</B> Enable encryption to hide the 38 username and password information - this is the default on 39 MacOS X and systems with GNU TLS or OpenSSL installed.</P></LI> 40 41 <LI>Local certificate authentication passes 128-bit 42 "certificates" that identify an authenticated user. 43 Certificates are created on-the-fly from random data and 44 stored in files under <VAR>/var/run/cups/certs</VAR>. 45 They have restricted read permissions: root + 46 system-group(s) for the root certificate, and lp + lp 47 for CGI certificates. 48 49 <P>Because certificates are only available on the local 50 system, the CUPS server does not accept local 51 authentication unless the client is connected to the 52 loopback interface (127.0.0.1 or ::1) or domain 53 socket.</P> 54 55 <P><B>Recommendation:</B> Ensure that unauthorized users 56 are not added to the system group(s).</P></LI> 57 58</OL> 59 60<H2 CLASS="title"><A NAME="DOS">Denial of Service Attacks</A></H2> 61 62<P>When printer sharing or remote administration is enabled, the 63CUPS server, like all Internet services, is vulnerable to a 64variety of denial of service attacks:</P> 65 66<OL> 67 68 <LI>Establishing multiple connections to the server until 69 the server will accept no more. 70 71 <P>This cannot be protected against by any known 72 software. The <CODE>MaxClientsPerHost</CODE> directive 73 can be used to configure CUPS to limit the number of 74 connections allowed from a single host, however that does 75 not prevent a distributed attack.</P> 76 77 <P><B>Recommendation:</B> Limit access to trusted systems 78 and networks.</P></LI> 79 80 <LI>Repeatedly opening and closing connections to the 81 server as fast as possible. 82 83 <P>There is no easy way of protecting against this in the 84 CUPS software. If the attack is coming from outside the 85 local network, it may be possible to filter such an 86 attack. However, once the connection request has been 87 received by the server it must at least accept the 88 connection to find out who is connecting.</P> 89 90 <P><B>Recommendation:</B> None.</P></LI> 91 92 <LI>Sending partial IPP requests; specifically, sending 93 part of an attribute value and then stopping 94 transmission. 95 96 <P>The current code will wait up to 1 second before 97 timing out the partial value and closing the connection. 98 This will slow the server responses to valid requests and 99 may lead to dropped browsing packets, but will otherwise 100 not affect the operation of the server.</P> 101 102 <P><B>Recommendation:</B> Block IPP packets from foreign 103 or untrusted networks using a router or 104 firewall.</P></LI> 105 106 <LI>Sending large/long print jobs to printers, preventing 107 other users from printing. 108 109 <P>There are limited facilities for protecting against 110 large print jobs (the <CODE>MaxRequestSize</CODE> 111 attribute), however this will not protect printers from 112 malicious users and print files that generate hundreds or 113 thousands of pages.</P> 114 115 <P><B>Recommendation:</B> Restrict printer access to 116 known hosts or networks, and add user-level access 117 controls as needed for expensive printers.</P></LI> 118 119</OL> 120 121<H2 CLASS="title"><A NAME="ENCRYPTION">Encryption Issues</A></H2> 122 123<P>CUPS supports 128-bit TLS encryption of network connections via the GNU TLS library, OS X Security framework, and Windows SSPI APIs. Secure deployment of TLS depends on proper certificate management and software maintenance.</P> 124 125</BODY> 126</HTML> 127