On 6/24/06, Clint Pachl <[EMAIL PROTECTED]> wrote:
Scott Francis wrote:
> On 6/23/06, Theo de Raadt <[EMAIL PROTECTED]> wrote:
> [snip]
>> > http://www.freebsd.org/cgi/man.cgi?query=mountd
>> >
>> > It's definitely possible (Free and Net both offer the -p option).
>>
>> I think that is completely ridiculous. Hardcoding RPC utilities
>> to non-random ports .... to try to tie it to something else, to increase
>> your security.
>>
>> Come on. By the time you have to do that, please just compile your own
>> version of mountd with a diff.
>
> *nod* I had not considered the random port allocation as a security
> feature - makes sense though. In my case, I'm running pf on a host
> that's already internal for some reporting (pfstat) and as an extra
> layer of filtering in case something gets through the primary firewall
> that shouldn't (belt + suspenders, etc.). It has since occurred to me
> that this might be a good candidate for authpf, and that's probably
> what I'll end up doing - hosts that need access to NFS can get it with
> authpf and an extra pf rule.
>
> Thanks for clearing up the why.
I guess I still don't understand the port randomization as a security
tactic in this situation. Can't a port scan or traffic dump reveal the
mountd port?
Sure, but the script kiddies looking for places to attack are more
likely to go after someone who has hardcoded a port. It's security by
obscurity.
-Nick
