---
title: "Securing dhcpd against unauthorized OMAPI control connections"
slug: "aa-01355"
description: "ISC DHCP has support for OMAPI, the Object Mapping Application Protocol Interface. Servers should be protected if OMAPI is enabled."
tags: ["isc dhcp"]
updated: 2018-10-29T21:51:31Z
published: 2018-10-29T21:51:32Z
canonical: "kb.isc.org/aa-01355"
---

> ## Documentation Index
> Fetch the complete documentation index at: https://kb.isc.org/llms.txt
> Use this file to discover all available pages before exploring further.

# Securing dhcpd against unauthorized OMAPI control connections

ISC DHCP has support for OMAPI, the Object Mapping Application Protocol Interface. OMAPI is an API that can be used for limited control over ISC DHCP server operations. ISC DHCP also includes `omshell`, a utility which will communicate with the server (if the server is configured to accept OMAPI connections) on the server's control port.

If an OMAPI port is defined in `dhcpd.conf`, then **dhcpd** will open a listening socket on that port and will accept inbound connections. 

@(Warning)(The DHCP server does not provide a mechanism to reject incoming OMAPI connections based on source address)(It is therefore recommended that if operators choose to enable OMAPI, they protect their servers by using another mechanism (such as a network firewall) to restrict access to the OMAPI port to connections only from trusted hosts.)

If you do not intend to use the OMAPI control port, then we recommend that you ensure that you have not enabled it on your ISC DHCP servers.

OMAPI is not enabled by default, but many sample configurations contain syntax that enables it :

```
# dhcpd.conf
#
# Sample configuration file for ISC dhcpd
#

omapi-port 7911;
omapi-key omapi_key;

key omapi_key {
     algorithm hmac-md5;
     secret Ofakekeyfakekeyfakekey==;
}
```

Note that in the example above, a secret key has also been specified. It is important to use a key so that **dhcpd** can only be controlled by someone running `omshell` or other client program using that same secret key. 

@(Warning)(OMAPI allows control over server state, including the ability to shut the server down remotely)(Shared keys are the mechanism that the DHCP server uses to verify incoming OMAPI requests from `omshell` or an OMAPI client program. If you are running a public-facing ISC DHCP server, you are strongly advised to use both network firewalls (to control which source addresses can connect to the OMAPI control channel) and shared keys (to ensure that only authorized clients can give commands on the OMAPI channel.))