On Mon, 25 Aug 2003, Felipe Alfaro Solana wrote:
On Mon, 2003-08-25 at 13:50, rhldevel(a)assursys.co.uk wrote:
> Hi -
> I've just done a "complete" install of Taroon on a scratch box, with
> iptables firewalling disabled. The following services are listening on
> external network interfaces:
> Port State Service
> 22/tcp open ssh
> 68/udp open dhcpclient
> 111/tcp open sunrpc
> 111/udp open sunrpc
> 123/udp open ntp
> 1010/udp open unknown
> 6000/tcp open X11
> ssh (we don't want to lock users out after an upgrade), ntp and dhcpclient
> (both manually configured during install) are reasonably justified, IMHO,
> but what is the justification for having rpc.statd, portmap and X11
> listening by *default* (especially on a machine that hasn't been configured
> to use NIS)?
rpc.statd and portmap aren't the exclusive domain of NIS.
Sure, but that was my best guess as to why they might be enabled by default
(but which would still be irrelevant to the installation scenario I gave).
Both are enabled by default and used by NFS as client or server. I
they could be disabled by default instead of being enabled by default.
You can disable both services:
# chkconfig --level 12345 portmap off
# chkconfig --level 12345 nfslock off
If you don't want the NFS server:
# chkconfig --level 12345 nfs off
*We* know this, but I suspect a large number of users don't and won't. I
wouldn't like for RH Linux to become the target of a worm with the impact of
Blaster, /even if/ the default RH firewall setup would prevent it, and errata
had already been released.
Leaving unnecessary ports open on a default install (firewall or not) is a
security and PR disaster waiting to happen, IMHO. There's no reason why a
install shouldn't be more tolerant of user stupidity, especially when
turning those services on is no more difficult than turning them off. ;-)