Mailinglist Archive: opensuse-security (232 mails)

< Previous Next >
Re: [suse-security] Re: portmap only for local interfaces
  • From: Bruno Cochofel <bruno.cochofel@xxxxxxxxx>
  • Date: Sun, 02 Oct 2005 21:39:41 +0100
  • Message-id: <4340458D.5020002@xxxxxxxxx>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

How can I make sure tcpwrapper is in use?
Can I edit host.allow so only localhost can access? Will it give any
trouble?
I don't use nfs, I've disabled it, so don't know why does portmap gets
on...

Philippe Vogel wrote:

> Henning Hucke schrieb:
>
>> On Sun, 2 Oct 2005, Bruno Cochofel wrote:
>
>>> When I do a netstat -tlnp I find that portmap LISTEN on port
>>> 111 to all interfaces. Hist this safe? Can I change the conf so
>>> that only localhosts can connect?
>
>
>> This portmapper is tcpwrapper enabled. So please read "man 5 \
>> hosts_access".
>
>> Since the tcpwrapper is quite simple it is a suitable tool.
>> Nonetheless it would never be a replacement for a propper
>> firewall rule set.
>
>> Best regards Henning Hucke
>
>
> Portmapper is only needed for nfs, mount-daemon and quotas (correct
> this if I forgot things). So it can be disabled if it isn't
> needed!
>
> Setting up portmapper listening on local host only is kind'a'
> difficult (as I intended this as well for some servers).
> SuSEfirewall2 blocks this traffic as default.
>
> It is recommended to use a firewall if you offer unprotected
> services to the internet. If you don't have open ports a firewall
> is normally not needed. Only an open port can be hacked. Don't
> compare Redmond (TM) firewalls with linux - it's not the same. They
> want to immitate iptables with kind'a' copy-effect and put a lot a
> lot more in it and want to call this firewall (a firewall in it's
> meaning is a portblocker - no more no less)!
>
> If you think you get attacks each time you login:
>
> If you use dial-in or dsl-connections you may get packets related
> to an earlier connection from another user using the same IP you
> use. This are normally no attacks to you.
>
> Regards
>
> Philippe
>
> -- Diese Nachricht ist digital signiert und enthält weder Siegel
> noch Unterschrift!
>
> Die unaufgeforderte Zusendung einer Werbemail an Privatleute
> verstößt gegen §1 UWG und 823 I BGB (Beschluß des LG Berlin vom
> 2.8.1998 Az: 16 O 201/98). Jede kommerzielle Nutzung der
> übermittelten persönlichen Daten sowie deren Weitergabe an Dritte
> ist ausdrücklich untersagt!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Using GnuPG with Netscape - http://enigmail.mozdev.org

iD8DBQFDQEWNvug0e/DKR7kRAoDKAKCKfASvqfUMUtIEZ9yWYtIjwVHnDACgwZ6t
fS10BR9F+GVv3soJ1cTeMUY=
=8hvh
-----END PGP SIGNATURE-----


< Previous Next >