>In effect this means that I can write scripts to connect directly to the port >and by-pass the portmapper. Why is this bad? Well because a lot of sites >just block 111 (portmapper) and leave the rest open (ftp other stuff might >need them). In addition, since it doesn't run from inetd, I am pretty sure >you can't run tcpwrappers. Since it bypasses the portmapper, a secure >portmapper isn't much good either. So if I can guess the high port, I can, >in the case of NIS, get the hashed passwds quite easily. I would say this is "as-designed" (even though it has security consequences). Solaris starts allocating unreserved ports in the 32xxx range, other OS's start above 1024 (the only OS I know of which actually allocates ports randomly is OpenBSD). The intention of the port allocation and the purpose of portmapper was never to provide security. Unless you change your system configuration, those services will probably always be listening on the same port. While this isn't exactly a benefit to security in this day and age, making the ports random won't help either. It's quite easy to find RPC services without a portmapper running by finding open UDP ports, and then interating through all known program/version numbers. The solution comes down to blocking everything you don't need at your firewall. - Oliver Network Associates, Inc.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:28:59 PDT