tcpwrapped rpcbind/portmap?

From: Geoff Collis (geoff@andale.com)
Date: 08/15/01


Message-ID: <EC5DB45B78F8D311A12500500488E66107E68F6B@mail.vendorhub.com>
From: Geoff Collis <geoff@andale.com>
To: focus-sun@securityfocus.com
Subject: tcpwrapped rpcbind/portmap?
Date: Tue, 14 Aug 2001 15:51:22 -0700

As a standard part of hardening Solaris 2.6 and Solaris 7 I would normally
replace rpcbind and portmap with Wietse's versions
(http://ftp.porcupine.org/pub/security/index.html) so that access to these
is controlled /etc/hosts.allow and /etc/hosts.deny files.

I believe I need "rpcbind" to allow my secured host to NFS mount the NFS
shares on my Network Appliance file servers.

These programs are based on fairly old source, so should I still do this on
Solaris 8?

FWIW: I am not interested in encrypting the data transfer, more in
controlling who is allowed to bind the RPC services on a host.

I will also be installing ipfilter, so I may be able to restrict access by
some inventive ipfilter rules, although RPC is notoriously difficult to
firewall.

Suggestions and feedback on the best way to proceed and/or what others have
done, would be appreciated.

- Geoff
 



Relevant Pages

  • Re: tcpwrapped rpcbind/portmap?
    ... Subject: tcpwrapped rpcbind/portmap? ... > As a standard part of hardening Solaris 2.6 and Solaris 7 I would normally ... > I believe I need "rpcbind" to allow my secured host to NFS mount the NFS ... modified code. ...
    (Focus-SUN)
  • Re: tcpwrapped rpcbind/portmap?
    ... The lack of ACL enforcement within the stock Solaris ... rpcbind make its use problematic in a security-sensitive environment. ...
    (Focus-SUN)
  • RE: tcpwrapped rpcbind/portmap?
    ... Subject: tcpwrapped rpcbind/portmap? ... rpcbind to make sure RPC will only work with hosts on the local subnet. ... So I would like to have tcp-wrapped versions of rpcbind/portmap for Solaris ... Wouldl it be a good idea to have a "safer" rpcbind in Solaris? ...
    (Focus-SUN)
  • RE: tcpwrapped rpcbind/portmap?
    ... I suspect I may need to run statd/lockd because these file systems are ... You do not need to run rpcbind or any RPC services to be an NFS client. ...
    (Focus-SUN)
  • Re: New Solaris 10 install
    ... Casper H.S. Dik writes: ... > various rpc services are now encoded in the SMF manifest. ... Under Solaris 8 it was not possible ...
    (comp.unix.solaris)