[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: assimilating OpenBSD

On Wed, Feb 07, 2001 at 01:23:57PM +1100, Craig Sanders wrote:
> portmap is not a security problem in debian by default because it
> does not accept connections from anywhere except localhost until you
> configure it to do so. you have to specifically allow connections from
> particular IP addresses (not hostnames) in /etc/hosts.allow.

Hmm. I've never seen the default hosts.deny block the whole world from
connecting to portmap. Are you sure you didn't add such a line yourself?

> mountd and rpc.statd, being rpc services, are also protected by the
> default portmap hosts.allow rules.

Bzzt. An attacker can't use portmap to identify what port they're
listening on, but can still do a full port scan and take a wild guess
(which isn't usually all that wild.) rpc.mountd has its own line in
hosts.allow, but I don't think that's true for statd.

> lpr is a potential problem. don't install it if you don't want it. or
> install lprng or something else instead.

History has shown lprng to have its own problems. If you're doing
network printing I recommend rlpr--just remove that damned suid bit. :)

> the whole notion of secure "out of the box" is flawed, anyway. sure, it
> helps to have a good base system...but accepting the claim at face-value
> can lead to a false sense of security and laziness on the part of the

And claiming that the concept of security out of the box is flawed is a
sign of laziness on the part of those (us) who could do better but do

Mike Stone

Reply to: