tcpwrapped rpcbind/portmap?

From: Geoff Collis (geoff@andale.com)
Date: 08/15/01


Message-ID: <EC5DB45B78F8D311A12500500488E66107E68F6B@mail.vendorhub.com>
From: Geoff Collis <geoff@andale.com>
To: focus-sun@securityfocus.com
Subject: tcpwrapped rpcbind/portmap?
Date: Tue, 14 Aug 2001 15:51:22 -0700

As a standard part of hardening Solaris 2.6 and Solaris 7 I would normally
replace rpcbind and portmap with Wietse's versions
(http://ftp.porcupine.org/pub/security/index.html) so that access to these
is controlled /etc/hosts.allow and /etc/hosts.deny files.

I believe I need "rpcbind" to allow my secured host to NFS mount the NFS
shares on my Network Appliance file servers.

These programs are based on fairly old source, so should I still do this on
Solaris 8?

FWIW: I am not interested in encrypting the data transfer, more in
controlling who is allowed to bind the RPC services on a host.

I will also be installing ipfilter, so I may be able to restrict access by
some inventive ipfilter rules, although RPC is notoriously difficult to
firewall.

Suggestions and feedback on the best way to proceed and/or what others have
done, would be appreciated.

- Geoff