portmap only for local interfaces
When I do a netstat -tlnp I find that portmap LISTEN on port 111 to all interfaces. Hist this safe? Can I change the conf so that only localhosts can connect? Bruno Cochofel
On Sun, 2 Oct 2005, Bruno Cochofel wrote:
When I do a netstat -tlnp I find that portmap LISTEN on port 111 to all interfaces. Hist this safe? Can I change the conf so that only localhosts can connect?
This portmapper is tcpwrapper enabled. So please read "man 5 \ hosts_access". Since the tcpwrapper is quite simple it is a suitable tool. Nonetheless it would never be a replacement for a propper firewall rule set. Best regards Henning Hucke -- "Yow! Did something bad happen or am I in a drive-in movie?" -- Zippy the Pinhead
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Henning Hucke schrieb:
On Sun, 2 Oct 2005, Bruno Cochofel wrote:
When I do a netstat -tlnp I find that portmap LISTEN on port 111 to all interfaces. Hist this safe? Can I change the conf so that only localhosts can connect?
This portmapper is tcpwrapper enabled. So please read "man 5 \ hosts_access".
Since the tcpwrapper is quite simple it is a suitable tool. Nonetheless it would never be a replacement for a propper firewall rule set.
Best regards Henning Hucke
Portmapper is only needed for nfs, mount-daemon and quotas (correct this if I forgot things). So it can be disabled if it isn't needed! Setting up portmapper listening on local host only is kind'a' difficult (as I intended this as well for some servers). SuSEfirewall2 blocks this traffic as default. It is recommended to use a firewall if you offer unprotected services to the internet. If you don't have open ports a firewall is normally not needed. Only an open port can be hacked. Don't compare Redmond (TM) firewalls with linux - it's not the same. They want to immitate iptables with kind'a' copy-effect and put a lot a lot more in it and want to call this firewall (a firewall in it's meaning is a portblocker - no more no less)! If you think you get attacks each time you login: If you use dial-in or dsl-connections you may get packets related to an earlier connection from another user using the same IP you use. This are normally no attacks to you. Regards Philippe - -- Diese Nachricht ist digital signiert und enthält weder Siegel noch Unterschrift! Die unaufgeforderte Zusendung einer Werbemail an Privatleute verstößt gegen §1 UWG und 823 I BGB (Beschluß des LG Berlin vom 2.8.1998 Az: 16 O 201/98). Jede kommerzielle Nutzung der übermittelten persönlichen Daten sowie deren Weitergabe an Dritte ist ausdrücklich untersagt! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) Comment: GnuPT 2.7.2 Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iQD1AwUBQz//AUNg1DRVIGjBAQKRjAb/ZpAY2t/f72kIazgQ328uWTh+XlxkAaF+ pOx3rxJimOAjqQ1DEHx2kJrlOEhhorgW3Xw0TI41e9jI5o8VL2Sb0PUkE2cfbKZC QnRjmoFKGfV7c0we4GrpnbdAVAcVYumYxWKSo5EWXs7GZwmIqUNHSucUoqLFMx+l z+ITBq/QWts5ynMiuMina6bCqeBYMGoA+wmTnX6Qn4QSaWf2uUvtIKdppEYWcLp/ aEAZhdEdMvoc+PiIx1jx/i4qe6RzuqKLUwlDDI/SxTv0uirfTDI1YkGPoyUGvW6H CP2yJtoypmo= =TknF -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 How can I make sure tcpwrapper is in use? Can I edit host.allow so only localhost can access? Will it give any trouble? I don't use nfs, I've disabled it, so don't know why does portmap gets on... Philippe Vogel wrote:
Henning Hucke schrieb:
On Sun, 2 Oct 2005, Bruno Cochofel wrote:
When I do a netstat -tlnp I find that portmap LISTEN on port 111 to all interfaces. Hist this safe? Can I change the conf so that only localhosts can connect?
This portmapper is tcpwrapper enabled. So please read "man 5 \ hosts_access".
Since the tcpwrapper is quite simple it is a suitable tool. Nonetheless it would never be a replacement for a propper firewall rule set.
Best regards Henning Hucke
Portmapper is only needed for nfs, mount-daemon and quotas (correct this if I forgot things). So it can be disabled if it isn't needed!
Setting up portmapper listening on local host only is kind'a' difficult (as I intended this as well for some servers). SuSEfirewall2 blocks this traffic as default.
It is recommended to use a firewall if you offer unprotected services to the internet. If you don't have open ports a firewall is normally not needed. Only an open port can be hacked. Don't compare Redmond (TM) firewalls with linux - it's not the same. They want to immitate iptables with kind'a' copy-effect and put a lot a lot more in it and want to call this firewall (a firewall in it's meaning is a portblocker - no more no less)!
If you think you get attacks each time you login:
If you use dial-in or dsl-connections you may get packets related to an earlier connection from another user using the same IP you use. This are normally no attacks to you.
Regards
Philippe
-- Diese Nachricht ist digital signiert und enthält weder Siegel noch Unterschrift!
Die unaufgeforderte Zusendung einer Werbemail an Privatleute verstößt gegen §1 UWG und 823 I BGB (Beschluß des LG Berlin vom 2.8.1998 Az: 16 O 201/98). Jede kommerzielle Nutzung der übermittelten persönlichen Daten sowie deren Weitergabe an Dritte ist ausdrücklich untersagt! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Using GnuPG with Netscape - http://enigmail.mozdev.org
iD8DBQFDQEWNvug0e/DKR7kRAoDKAKCKfASvqfUMUtIEZ9yWYtIjwVHnDACgwZ6t fS10BR9F+GVv3soJ1cTeMUY= =8hvh -----END PGP SIGNATURE-----
participants (3)
-
Bruno Cochofel -
Henning Hucke -
Philippe Vogel