Re: assimilating OpenBSD
On Wed, Feb 07, 2001 at 01:23:57PM +1100, Craig Sanders wrote:
> portmap is not a security problem in debian by default because it
> does not accept connections from anywhere except localhost until you
> configure it to do so. you have to specifically allow connections from
> particular IP addresses (not hostnames) in /etc/hosts.allow.
Hmm. I've never seen the default hosts.deny block the whole world from
connecting to portmap. Are you sure you didn't add such a line yourself?
> mountd and rpc.statd, being rpc services, are also protected by the
> default portmap hosts.allow rules.
Bzzt. An attacker can't use portmap to identify what port they're
listening on, but can still do a full port scan and take a wild guess
(which isn't usually all that wild.) rpc.mountd has its own line in
hosts.allow, but I don't think that's true for statd.
> lpr is a potential problem. don't install it if you don't want it. or
> install lprng or something else instead.
History has shown lprng to have its own problems. If you're doing
network printing I recommend rlpr--just remove that damned suid bit. :)
> the whole notion of secure "out of the box" is flawed, anyway. sure, it
> helps to have a good base system...but accepting the claim at face-value
> can lead to a false sense of security and laziness on the part of the
And claiming that the concept of security out of the box is flawed is a
sign of laziness on the part of those (us) who could do better but do