Re: tcpwrapped rpcbind/portmap?

From: Chris Ess (azarin@tokimi.net)
Date: 08/21/01


Date: Mon, 20 Aug 2001 19:32:13 -0400 (EDT)
From: Chris Ess <azarin@tokimi.net>
To: <focus-sun@securityfocus.com>
Subject: Re: tcpwrapped rpcbind/portmap?
Message-ID: <Pine.LNX.4.33L2.0108201921540.9268-100000@ryoko.tokimi.net>


> Perhaps I'm just a draconian BOFH type, but for systems that are
> production and in a DMZ, the only good rpc is no rpc.

Hear, hear.

Now, if you remove RPC from a webserver, what will you lose? NFS and
NIS/YP. (Any others? These are the only two I know of.)

NFS is, in general, weak and kludge-y in its implementations. And
inherently secure. NIS/YP is even less secure. (Yes, yes, NIS+ is
better... But not by much.)

Neither of these have a place on a dedicated webserver. In fact, aside
from port 80 and 443, should a dedicated webserver allow connections from
anyone on a port? Certainly not. SSH and FTP (if you really want to use
it) should be restricted to a group of IPs.

Let's say you don't have the resources to run a dedicated webserver. (I
know I don't.) From my understanding of RPC/portmap, you can in general
be safe if you drop port 111 requests coming from outside. But this
shouldn't be taken as a definite cure. It's just removing or deflecting a
vector of attack, such as removing the .ida and .idq bindings in IIS for
the Code Red worms. (If any of you followed that.)

If you *absolutely* have to use RPC for whatever reason, get a firewall
and drop your machine behind it. (It doesn't need to be a commercial
firewall. A BSD machine running ipf, a Linux machine with ipchains or
iptables, a pair of wirecutters (best firewall yet! <snip>), what have
you.)

Unfortunately, RPC like many other internel protocols wasn't designed with
security in mind. It might be possible to make RPC secure, but by the
time you do so, it's not RPC anymore.

Christopher Ess
System Administrator / CDTT (Certified Duct Tape Technician)



Relevant Pages

  • Re: "Trying to connect" problem with RPC-HTTP
    ... 443 is the only port that needs to be opened. ... on the RPC Proxy under IIS? ... The reason that I ask is that with an internal certificate, ... > connect through the firewall. ...
    (microsoft.public.exchange.admin)
  • Re: "Trying to connect" problem with RPC-HTTP
    ... 443 is the only port that needs to be opened. ... on the RPC Proxy under IIS? ... The reason that I ask is that with an internal certificate, ... > connect through the firewall. ...
    (microsoft.public.exchange.misc)
  • Re: "Trying to connect" problem with RPC-HTTP
    ... 443 is the only port that needs to be opened. ... on the RPC Proxy under IIS? ... The reason that I ask is that with an internal certificate, ... > connect through the firewall. ...
    (microsoft.public.exchange.connectivity)
  • Re: "Trying to connect" problem with RPC-HTTP
    ... 443 is the only port that needs to be opened. ... on the RPC Proxy under IIS? ... The reason that I ask is that with an internal certificate, ... > connect through the firewall. ...
    (microsoft.public.exchange.setup)
  • Re: SBS 2003 and Outlook RPC over HTTP issues
    ... Look in IIS at your Exchweb, Exadmin, exchange-oma, and RPC sites' directory ... Why is it called RPC over HTTP if HTTP is not really needed to be ... As pointed out by others, port 80 does NOT need to be open, and yes, it ... I have about 20 of these SBS machines at other locations and have ...
    (microsoft.public.windows.server.sbs)