Re: assimilating OpenBSD
On Wed, Feb 07, 2001 at 07:49:00AM -0500, Michael Stone wrote:
> On Wed, Feb 07, 2001 at 01:23:57PM +1100, Craig Sanders wrote:
> > portmap is not a security problem in debian by default because it
> > does not accept connections from anywhere except localhost until you
> > configure it to do so. you have to specifically allow connections
> > from particular IP addresses (not hostnames) in /etc/hosts.allow.
>
> Hmm. I've never seen the default hosts.deny block the whole world
> from connecting to portmap. Are you sure you didn't add such a line
> yourself?
absolutely sure. quite the contrary in fact...i had to add my own
networks to the portmap line in hosts.allow in order to allow them to
connect.
RTFM.
/usr/share/doc/portmap/portmapper.txt.gz
it has worked like this for years.
even if there is no portmap line in hosts.allow, it's still secure. by
default, debian's portmapper will reject any connection UNLESS it is
specifically allowed in hosts.allow. i.e. portmap's default policy = deny.
> > mountd and rpc.statd, being rpc services, are also protected by the
> > default portmap hosts.allow rules.
>
> Bzzt. An attacker can't use portmap to identify what port they're
> listening on, but can still do a full port scan and take a wild guess
> (which isn't usually all that wild.) rpc.mountd has its own line in
> hosts.allow, but I don't think that's true for statd.
so submit a bug report suggesting that statd needs a hosts.{allow,deny}
entry. problem solved.
anyone who runs these (in fact, any) network services should be
filtering packets on both their border router *AND* on each host,
anyway. having a firewall is another thing that leads to a false sense
of security IF it is regarded as some kind of magic cure-all - i know
of several sites who thought "we have a firewall so we're safe" but
they changed the firewall rules or temporarily shut it down and were
compromised. a firewall is a good and useful thing but it isn't magic.
> > lpr is a potential problem. don't install it if you don't want it. or
> > install lprng or something else instead.
>
> History has shown lprng to have its own problems. If you're doing
> network printing I recommend rlpr--just remove that damned suid bit. :)
so don't install it if you don't need it. or install the version that
you think is most secure.
and filter packets at your border gateway and on the print-server host.
this is elementary network security. anyone who doesn't know or can't
learn this has no business running a system or a network on the
internet. careless or ignorant people will *always* get hacked, there is
no preventing that - think of it as internet evolution in action.
> > the whole notion of secure "out of the box" is flawed, anyway. sure,
> > it helps to have a good base system...but accepting the claim at
> > face-value can lead to a false sense of security and laziness on the
> > part of the
>
> And claiming that the concept of security out of the box is flawed is
> a sign of laziness on the part of those (us) who could do better but
> do not.
no, it's not. it's a statement of fact. "secure out of the box" is an
inherently flawed concept. you don't get "security" just by installing
something, you get "security" by understanding security concepts and
configuring it correctly.
anything else is just the false illusion of security.
anyone who tells you otherwise is probably trying to sell you their own
"magic black box of security +1".
craig
--
craig sanders <cas@taz.net.au>
GnuPG Key: 1024D/CD5626F0
Key fingerprint: 9674 7EE2 4AC6 F5EF 3C57 52C3 EC32 6810 CD56 26F0
Reply to: