[ale] hosts.deny and portmap

Dow Hurst dhurst at kennesaw.edu
Wed Dec 26 08:41:23 EST 2001


Jimmie,
Portmap is an RPC service that runs under UDP.  So TCP wrappers doesn't have any effect on it.  UDP is inherently insecure so a firewall is you only good way to protect that service.  All RPC based programs will register with the portmap program upon startup.  So any fam, File Alteration Monitor, or famd will depend on it.  Such legacy programs as rstatd, snoopd, NFS, NIS can all depend on the portmapper.  The portmap program does exactly what it's name indicates.  It maps the RPC program number to the registered program's name.  It passes that info to any request over the network using UDP.  Only the newer TCP based NFS will use TCP instead of UDP, however, the portmap program always uses UDP AFAIK.  Block port 111 from Internet access completely using a firewall.  Good luck,
Dow


>>> Jimmie Fulton <JFulton at ehso.emory.edu> 12/23/01 18:57 PM >>>
Sorry Geoffrey for sending twice...

I thought about removing portmap altogether, but I didn't know what else may
depend on it.  What other service might use portmap besides NIS and NFS?

-----Original Message-----
From: Geoffrey [mailto:esoteric at 3times25.net]
To: ale at ale.org
Sent: Sunday, December 23, 2001 11:08 AM
To: Jimmie Fulton
Cc: 'ale at ale.org'
Subject: Re: [ale] hosts.deny and portmap


This is a guess, but I'd suspect that if you want the ports not to show
up, you'll need to turn off portmap altogether.

Understand, that before that machine can determine it's going to deny a
particular connection, it needs to get the ip to compare it to the
deny/allow files, therefore the port must be available in order to do
so.  Now, it would make sense to me that if you have 'deny all' set,
that it wouldn't bother but I suspect this is not the case.

If you're not using portma, remove it, take it out of your services
file.

Jimmie Fulton wrote:
> 
> I was reading throught the nfs-howto about securing portmap.  I have
tried:
> portmap: ALL
> and /or
> ALL: ALL
> 
> in hosts.deny; my hosts.allow is blank.  Even still rpcinfo -p from any
host
> still lists the available ports.  man portmap says to use hosts.allow and
> hosts.deny for security.
> 
> The nfs-howto also suggests a strings on portmap for hosts.allow and
> hosts.deny to see if it uses them.  Neither of those strings show up.
> 
> This system is a currently updated Debian Woody.  Any ideas on why
> hosts.deny doesn't seem to work for portmap?
> 
> Thanks
> 
> ---
> This message has been sent through the ALE general discussion list.
> See http://www.ale.org/mailing-lists.shtml for more info. Problems should
be
> sent to listmaster at ale dot org.

--
Until later: Geoffrey		esoteric at 3times25.net

"...the system (Microsoft passport) carries significant risks to users
that
are not made adequately clear in the technical documentation available."
- David P. Kormann and Aviel D. Rubin, AT&T Labs - Research
- http://www.avirubin.com/passport.html

---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.



---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be
sent to listmaster at ale dot org.






More information about the Ale mailing list