Re: Would a firewall prevent Sasser worm?

From: Bernd Felsche (bernie_at_innovative.iinet.net.au)
Date: 05/06/04 

Date: Thu, 06 May 2004 09:27:38 +0800

Lars M. Hansen <badnews@hansenonline.net> writes:

>On Wed, 05 May 2004 14:11:14 +0100, Nigel Wade spoketh

>>There is no sun-rpc package in RH8 or RH9· Are you sure you've really
>>installed them?

>>If you actually meant the portmap package then that is only
>>required by fam. Since fam is monitoring local filesystems there
>>is no need to open port 111 to anything other than the loopback
>>interface. No vulnerability whatsoever.

>>You should not equate Linux with Windows. Just because RPC on
>>Windows is a security hole does not mean that RPC in Linux is
>>also.

>Cut from my /etc/services file on my RH8 box:

>sunrpc 111/tcp portmapper # RPC 4.0 portmapper TCP
>sunrpc 111/udp portmapper # RPC 4.0 portmapper UDP

/etc/services is only for documentation and reference.

No way are the 8000+ other services dosumented *running* on most
Linux boxes.

SuSE ships with all ports effectively turned off. I wouldn't use the
"default" installation for firewalling anyway because a GUI (X) is
just asking for trouble when exposed to the Internet. SuSE also
ships with an easily configurable "personal" firewall suitable for
home PC deployment... (setting up a modem/DSL connection starts the
firewall by default) and one where you have to get down to the
nitty-gritty for more serious use such as building a stand-alone
firewall for firewalling a LAN.

>You were saying?

>As for RPC being an issue on Linux, well, there may not be any known
>issues at this time, but there has been in the past, and who knows
>what's around the corner...

Here's a note provided by SuSE for the latest kernel security patch:

  - A buffer overflow in panic(). Although there seems no way to
    trigger this bug, it has been fixed.

Looks like there's plenty of pro-active code review and patching.
A great proportion of possible vulnerabilities can be mechanically
located and then manually reviewed. 

-- 
/"\ Bernd Felsche - Innovative Reckoning, Perth, Western Australia
\ /  ASCII ribbon campaign | I'm a .signature virus!
 X   against HTML mail     | Copy me into your ~/.signature
/ \  and postings          | to help me spread!

Relevant Pages

  • Re: Would a firewall prevent Sasser worm?
    ... Since fam is monitoring local filesystems there ... >>is no need to open port 111 to anything other than the loopback ... "default" installation for firewalling anyway because a GUI is ... firewall by default) and one where you have to get down to the ...
    (comp.security.firewalls)
  • Re: Would a firewall prevent Sasser worm?
    ... Since fam is monitoring local filesystems there ... >>is no need to open port 111 to anything other than the loopback ... "default" installation for firewalling anyway because a GUI is ... firewall by default) and one where you have to get down to the ...
    (comp.security.misc)
  • Dialup Lockup - Finally Found The Problem!
    ... I found what has been creating a conflict. ... internet communication locks up completely, ... > Norton CleanSweep monitored the installation and I used CleanSweep to ... I read that WinXP's built-in firewall can sometimes cause conflicts ...
    (microsoft.public.windowsxp.security_admin)
  • FreeBSD Firewall on a Nokia IP330 Mini-Howto
    ... PC hardware in general, and with FreeBSD. ... after the operating system installation is ... interface named '/etc/start_if.fxpN' (replacing N with the interface ... You do not need to recompile the firewall in order to use the PF ...
    (comp.unix.bsd.freebsd.misc)
  • FreeBSD Firewall on a Nokia IP330 Mini-Howto
    ... PC hardware in general, and with FreeBSD. ... after the operating system installation is ... interface named '/etc/start_if.fxpN' (replacing N with the interface ... You do not need to recompile the firewall in order to use the PF ...
    (comp.security.firewalls)