[21158] in Athena Bugs
Re: Incoming / Outgoing Ports list for Solaris Athena
daemon@ATHENA.MIT.EDU (Tom Cavin)
Tue Dec 3 17:29:55 2002
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <15853.12385.503357.560473@lap1-wccf.mit.edu>
Date: Tue, 3 Dec 2002 17:29:53 -0500
From: Tom Cavin <cavin@MIT.EDU>
To: Garry Zacheiss <zacheiss@MIT.EDU>
Cc: Tom Cavin <cavin@MIT.EDU>, Athena Bugs list <bugs@MIT.EDU>
In-Reply-To: <200212032039.PAA25758@brad-majors.mit.edu>
Hi Garry,
The firewall is due to an administrative policy decision at Mass General
Hospital Partners and isn't something that can easily be eliminated, hence
the request for a port list.
You mention below that both ftp and telnet are active when a system has run
"mkserv remote". Is that the case even if the "require encrypted
passwords" question has been answered affirmatively?
Thanks,
--Tom
P.S. This entire exercise is due to a lack of planning on a user's part,
and has only continued because I'm curious as to whether and how it can be
done. Please don't spend any serious amounts of time on this, and please
let me know if my questions become a problem. If I'm going to cause
difficulties, I'd much rather do so on behalf of something important, and
this isn't one of those things. :-) Thanks, --tec
Garry Zacheiss writes:
> Hi Tom,
>
> The short answer is that we prefer Athena machines not be behind
> a firewall at all, and if it's possible to not filter any incoming
> traffic for the machine, that's best. I'm not aware of there being any
> security holes in the current Athena release that were actually
> exploited since I started working here; we have been vulnerable to
> things, but usually fix them within a couple of days of the
> announcement, before exploits appear in the wild. It's also been our
> experience that supporting Athena machines in a firewalled environment
> tends to generate a lot of unnecessary support laod for no perecivable
> security benefit.
>
> >> Does there exist a ports list that would tell them what type of incoming
> >> and outgoing traffic is normal on which ports for an Athena box? Or
> >> would such a list be easy to make? And how could I get or make it?
>
> There is no official list, but the things that come to mind are:
>
> UDP ports 88, 750 for Kerberos (kinit, etc)
> UDP port 464 (krb5 password changing protocol)
> UDP port 751 (krb4 password changing protocol)
>
> (we changed from using the krb4 password changing protocol to the krb5
> one midway through 9.1, so opening both is clever)
>
> UDP ports 7000 - 7009 (AFS fileserver, cache manager, vldb, prdb, etc)
>
> If the machine is remotely accessible via mkserv remote, all of these
> will be running. You can decide which ones you want.
>
> TCP 21 ftp
> TCP 22 ssh
> TCP 23 telnet
>
> TCP 543 kerberized rlogin
> TCP 544 kerberized rsh
> TCP 2105 encrypted kerberized rlogin
>
> TCP 49155 athinfo (remote workstation information service)
>
> TCP 1109 kerberized pop
> TCP 142, 143, 992 various flavors of IMAP
>
> These are the ones that come immediately to mind; there are almost
> certainly others. You can discover others with lsof and netstat if you
> feel so inclined.
>
> If the machine has to be behind a firewall, I'd strongly urge you to
> not filter outgoing traffic at all, only incoming traffic, at which
> point many entries on the above list become unnecessary.
>
> Garry
>
--
Tom Cavin Phone: (617) 258 - 7806
Computer Operations Manager Email: cavin@mit.edu
MIT - Whitaker College Computer Facility or tec@ai.mit.edu
