- This topic has 5 replies, 4 voices, and was last updated Mar 18-8:01 pm by Anonymous.
-
Posts
-
stevesr0
Today when I ran apt update && apt full-upgrade, an update of libupnp6 was displayed. I installed this, but it made me wonder if it is a good idea to have upnp on my computer (or on my router).
In the past, I have heard that it is advisable to disable upnp on routers unless you have a specific need for it, because it represents an attack point.
I assume from a brief looksee on the internet that upnp is required on both the host/device and the router to be of use.
Since it is in the repository, I assume that it is considered a useful tool
Appreciate comments on this. I am open to disabling this on both the computers and the router, as long as the risk is significant and manual management of ports is not a problem in itself.
Thanks
stevesr0
Anonymous
I do consider uPNP to be a worrisome potential source of vulnerability and
(I reckon the libupnp6 on antiX17 here got installed as a dependency of amule)
have deleted its files and placed a hold on the libupnp6 package to preclude reinjection of those files via upgrades.Cumulatively, they are probably less than 1MB. So, unless you are certain (as I am) that they’ll never be needed/used on the system, maybe you would prefer to just hide (security by obscurity) its binaries:
#!/bin/bash ### ref https://packages.debian.org/stretch/amd64/libupnp6/filelist for yuk in \ /usr/lib/x86_64-linux-gnu/libixml.so.2 \ /usr/lib/x86_64-linux-gnu/libixml.so.2.0.8 \ /usr/lib/x86_64-linux-gnu/libthreadutil.so.6 \ /usr/lib/x86_64-linux-gnu/libthreadutil.so.6.0.4 \ /usr/lib/x86_64-linux-gnu/libupnp.so.6 \ /usr/lib/x86_64-linux-gnu/libupnp.so.6.3.3; do mv $yuk $yuk._RENAMED done apt-mark hold libupnp6▸ Since it is in the repository, I assume that it is considered a useful tool.
Yeah, well… some people consider “gnome-maps” to be a useful tool and they are not averse to the fact that gnome-maps depends on “geoclue” and is set to surreptitiously ping google geolocation server. (BTW the gnome-y chat program “empathy” also does this.)
Thanks, skidoo.
libupnp6 is a dependency for vlc base plugins. Sp VLC shouldn’t work with that being disabled or purged, I guess.
I use VLC so I won’t remove libupnp6. The associated files you listed, are not listed as dependencies for VLC base plugins, so hiding them might not interfere with it.
Are you currently using VLC (or even have it installed)?
Having disabled upnp, do you manually manage port forwarding for any services for your devices?
(I understand that to be the negative aspect of disabling it on the network devices and the router.)If yes, (a) is that a continual task (enabling/disabling) and (b) do you do this in a way to minimize the security risk said to be associated?
stevesr0
- This reply was modified 2 years, 2 months ago by stevesr0.
- This reply was modified 2 years, 2 months ago by stevesr0.
wildstar84
I’m on testing, and was able to remove libupnp6, but there’s also a libpnp13, which vlc seems to require, so had to leave this one installed.
Robin
Maybe I’m a little old school in these matters, but I think you should consider UPNP as a security risk in any case.
Do you know Whitepaper: Security Flaws in Universal Plug and Play: Unplug, Don’t Play.?
At least you should make sure UPNP is blocked from outside in your network, when you really want to install it.
The risks are not outdated by now:
Millions of UPNP devices containing security concern (June 2020, German language)
So please consider carefully whether you really need UPNP. It is unsafe by design.Interessting question: Does vlc really need upnp?
Anyway, I believe you can minimise the risk by manually manage (open and close) ports as needed, as well as on your router and as on your PC. Open them within your LAN only for the time they are really in use, and never open them to the internet.
Windows is like a submarine. Open a window and serious problems will start.
so had to leave this one installed.
Does vlc really need upnp?
Yeah, that “had to” remark isn’t very enlightening.
In the absence of /path/to/the_upnp_exeucable(s) {{{or, replace ’em with 0byte dummy files}}} I expect vlc would not notice & would load n run just fine, unless one were to visit the configuration panel and populate/configure uPNP details, attempting to use that “feature”.
- You must be logged in to reply to this topic.
