[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: Suggestion for an altered portmap package

From: Steve G <linux_4ever yahoo com>
To: Development discussions related to Fedora Core <fedora-devel-list redhat com>
Subject: Re: Suggestion for an altered portmap package
Date: Wed, 11 Aug 2004 17:37:08 -0700 (PDT)

>As I don't use NFS or NIS on my desktop, either, I've long wanted to be 
>able to tell portmap to bind to the loopback interface only, following a 
>security principle of making daemons listen to the least possible 
>interfaces. There doesn't seem to be a way to do that, so I've tried 
>creating an altered portmap package.

Hi,

I am the co-maintainer of xinetd. You should be able to secure portmap without
touching the code. I am not familiar with Fedora or Red Hat's xinetd settings
since I do my own as part of xinetd development. But I use this in /etc/xinetd.d
saved as sgi_fam:

service sgi_fam
{
        type         = RPC UNLISTED
        flags        = NOLIBWRAP
        socket_type  = stream
        user         = root
        group        = root
        server       = /usr/bin/fam
        wait         = yes
        protocol     = tcp
        rpc_version  = 2
        rpc_number   = 391002
        bind         = 127.0.0.1
}

Then in /etc/hosts.allow, I set:

portmap: 127.0.0.1

I also then use fwbuilder to create an iptables setup that insulates all daemons
except what that machine was designed for.

Does this help? It is trivial to modify portmap to take a commandline argument
and bind to that interface. But a system can be secured without touching
portmapper's code.

-Steve Grubb


	
		
__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - 100MB free storage!
http://promotions.yahoo.com/new_mail

References:
- Suggestion for an altered portmap package
  - From: Troels Arvin

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]