On Mon, 19 Mar 2001, Devdas Bhagat wrote:
> Port 111 is for the rpc.statd daemon, required for NFS and related
> services. There was a rash of rpc.statd exploits sometime back (hint
> bugtraq). If you don't run rpc.statd (portmap), you have no need to
> worry about this.
i want to follow up on this really quickly.
portmapper services are often started at boot time by many UNIX
installations, even though the user will in all likelihood not be using
those protocols (NFS, NIS, and other RPC tools). example, while i *love*
openbsd with all of my heart, this is what shows up by default:
$ grep portmap /etc/rc.conf
portmap=YES # almost always needed
change that to a NO, i disagree with the statement that it's always
needed. (rc.conf on NetBSD and OpenBSD, don't know about FreeBSD, controls
what gets started at boot.) almost every casual home user i know of
doesn't set up NFS or NIS, hence my disagreement with the 'almost always
needed'. Linux, IRIX, etc ... all of them, i think, also start portmapper
by default.
it's inherently insecure, not just from a coding standpoint, but also the
protocols themselves. while NFS v4 and NIS+ strove to improve that,
they're not widely adopted, leaving their weak authentication cousins (ie
NFS v3 and NIS) in widespread deployment.
for these above reasons i strongly enourage you to filter 111/TCP (and
other portmapper related ports, ie Sun uses some high numbered ones) at
your border, and on hosts not using it make sure its disabled.
____________________________
jose nazario [EMAIL PROTECTED]
PGP: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80
PGP key ID 0xFD37F4E5 (pgp.mit.edu)
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
