[Gllug] nmap

[Nix]

On Tue, 29 Jan 2002, Tom Gilbert stated:
> For the printer and samba, you can make them listen to only an internal
> address. Good luck trying that for sunrpc (the portmapper), that thing
> is a massive source of exploits, so I suggest you find a way to lose it.

The first feature in the README for portmap-5beta is

,----
| - optional: host access control. The local host is always considered
| authorized. Access control requires the libwrap.a library that comes
| with recent tcp wrapper (log_tcp) implementations.
`----

With that compiled in, and sane (i.e. draconian) access rules, and
firewall rules to prevent the obvious classes of IP address spoofing,
the portmapper should be as secure as any other tcp-wrapped service (and
tcp-wrappers is pretty damn bulletproof).

> Either don't run rpc-based services (e.g an nfs server) on an internet
> facing machine, or install a firewall to block those ports - which you
> should probably do anyway.

You can port block too :) of course, I do all three of the above (er,
except for not running it; it's hard to not run it and run it at the
same time).

> sshd, httpd, fine.

except that both of these have had more security holes reported than
tcp-wrappers; I've had 216.140.210.34, root at 217.158.66.79 (twice) in the
last day alone.

-- 
`However, if you want to detect whether (say, 1 in 1000) cars are being
 abducted by bunnies along their route, you've got a whole new problem.'
                              - Scott James Remnant on network problems

-- 
Gllug mailing list  -  Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug