[221] in linux-security and linux-alert archive
Re: IP firewalling and security
daemon@ATHENA.MIT.EDU (Olaf Kirch)
Mon Apr 24 19:49:38 1995
From: okir@monad.swb.de (Olaf Kirch)
To: linux-security@tarsier.cv.nrao.edu
Date: Mon, 24 Apr 1995 23:46:11 +0200 (MET DST)
In-Reply-To: <199504191835.UAA13887@mvmampc66.ciw.uni-karlsruhe.de> from "Thomas Koenig" at Apr 19, 95 08:35:19 pm
-----BEGIN PGP SIGNED MESSAGE-----
Thomas Koenig wrote:
> Question: if you've got nfsd and rpcd running firewalled, can anything
> be gained by also firewalling mountd? This would probably have to be
> done in mountd itself, since it doesn't bind to a specified port.
Protection of RPC services that run on random ports is a problematic
issue. NFS can be firewalled so easily because nfsd always runs on
port 2049, but you're quite stuck with all other services. Firewalling
port 111 or using a portmapper with hosts_access protection does not
help you here, because it's quite easy to find out which services
run on which port without consulting the portmapper at all(*).
IMHO, the only solution to this problem is to make RPC daemons aware
of hosts_access or a similar scheme. An ideal place to add this
transparently would be in svc_run, but unfortunately, the current
tcp-wrapper implementation doesn't lend itself very well to fun like
this because for each check you perform, it opens and parses the
entire hosts.allow and hosts.deny files.
I have started hacking on the tcpd-7.2 sources to load this stuff into
memory and add a cache indexed by client addresses, but it's not even
at the compile stage yet:-) If someone is interested in pursuing this, I
could give you the source.
To comment on the issue Thomas raised (at long last): I don't believe
there's much evil you can do with mountd as long as the NFS port is
blocked, except maybe for a denial of service attack.
Regards
Olaf
(*) Basically, you use NULL RPC calls to check if a given service resides
on a given port. It works surprisingly well... What makes me slightly
nervous is that when playing around with this, none of the servers
recorded a single complaint in the log files.
- --
Olaf Kirch | --- o --- Nous sommes du soleil we love when we play
okir@monad.swb.de | / | \ sol.dhoop.naytheet.ah kin.ir.samse.qurax
For my PGP public key, finger okir@brewhq.swb.de.
-----BEGIN PGP SIGNATURE-----
Version: 2.6
iQCVAgUBL5wcEOFnVHXv40etAQGdVQP+I23kmatE1O47QFEdDwYv55/UnzLWl+Aw
pFCTqPSA0zGQypCh2ygko3nvYZopblwVO+2erQYh1Zuhu+SpxACfACLajxnlN0Vy
gE9PcWRepLC7pXW8PJdnMghxPL8CBMqxUcVCtoMWJ5VwgU8yAs399F+3AUWK0BlL
WRh2OUBneKc=
=1RjJ
-----END PGP SIGNATURE-----
