--0OAP2g/MAC+5xKAE Content-Type: text/plain; charset=us-ascii On Fri, Aug 28, 1998 at 01:27:40PM +0200, Olaf Kirch wrote: > I've got egg on my face... There is a nasty security hole in the > User-space NFS servers. If you are running an NFS server, please > upgrade as soon as possible to the latest release, > nfs-server-2.2beta35.tar.gz, which can be found at > > ftp://linux.mathematik.tu-darmstadt.de/pub/linux/people/okir > > All previous releases are vulnerable. > > > <Taking off his okir hat and putting on his caldera hat> > > Caldera will, after they have passed testing, release fixed RPMs. > They will be available from > > ftp://ftp.caldera.com/pub/OpenLinux/updates/1.2/ > > Olaf > -- > Olaf Kirch | --- o --- Nous sommes du soleil we love when we play > okirat_private | / | \ sol.dhoop.naytheet.ah kin.ir.samse.qurax > okirat_private +-------------------- Why Not?! ----------------------- > UNIX, n.: Spanish manufacturer of fire extinguishers. > > -- > ---------------------------------------------------------------------- > Please refer to the information about this list as well as general > information about Linux security at http://www.aoy.com/Linux/Security. > ---------------------------------------------------------------------- > > To unsubscribe: > mail -s unsubscribe linux-security-requestat_private < /dev/null hi while we are waiting for a fix, I propose this short script for people running Linux 2.0 it will use ip input firewalling to stop accesses to RPC services but from a list of allowed hosts. The script is self explaining (and gives help with -h ) bye a.m. -- -- Legal Warning: Anyone sending me unsolicited/commercial email WILL be charged a $100 proof-reading fee. Do NOT send junk email to me - consider this an official notice: "By US Code Title 47, Sec.227(a)(2)(B), a computer/modem/printer meets the definition of a telephone fax machine. By Sec.227(b)(1)(C), it is unlawful to send any unsolicited advertisement to such equipment. By Sec.227(b)(3)(C), a violation of the aforementioned Section is punishable by action to recover actual monetary loss, or $500, whichever is greater, for each violation." --0OAP2g/MAC+5xKAE Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename=protect_rpc_ports #!/bin/sh # protect_rcp_ports # by A.Mennucc1 msmat_private Aug 98 #see below for help RUN=/var/run p=`basename $0` P=$RUN/$p.save #file containing list of hosts allowed to use rpc ports A=/etc/hosts.allow.d/portmapper ###########help if [ "$1" = -h -o "$1" = --help ] ; then cat <<EOF Usage: $p [ --replace ] It protects the RPC ports from accesses but from hosts listed in $A uses ipfwadm -I NOTE with --replace it destroyes all ip input firewalling previously found! and puts just a basic firewalling; it is good if you dont use ip input firewalling for other reasons and you decide to run $p by cron every 5 minutes (good, in case the RPC ports change). EOF exit fi [ -r $P ] && mv $P $P~ if [ "$1" = --replace ] ; then #clear all ipfwadm -I -f ipfwadm -I -d deny -o -P all -S 127.0.0.0/8 -W eth0 -D 0/0 2>/dev/null || true ipfwadm -I -d deny -o -P all -S 127.0.0.0/8 -W eth1 -D 0/0 2>/dev/null || true ipfwadm -I -i deny -o -P all -S 127.0.0.0/8 -W eth0 -D 0/0 >/dev/null ipfwadm -I -i deny -o -P all -S 127.0.0.0/8 -W eth1 -D 0/0 fi rpcinfo -p | awk '//{print $4}' | grep -x '[0-9]*' | sort -u > $P for i in `cat $P ` ; do if [ -r $A ] ; then for h in ` cat $A ` ; do ipfwadm -I -a accept -P tcp -S $h -D 0/0 $i ipfwadm -I -a accept -P udp -S $h -D 0/0 $i done fi ipfwadm -I -a reject -P tcp -S 0/0 -D 0/0 $i ipfwadm -I -a reject -P udp -S 0/0 -D 0/0 $i done --0OAP2g/MAC+5xKAE--
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:13:59 PDT