RH Taroon Beta Open Ports

rhldevel at assursys.co.uk rhldevel at assursys.co.uk
Mon Aug 25 12:28:26 UTC 2003 

On Mon, 25 Aug 2003, Felipe Alfaro Solana wrote:

> On Mon, 2003-08-25 at 13:50, rhldevel at assursys.co.uk wrote:
> > Hi -
> > 
> > I've just done a "complete" install of Taroon on a scratch box, with
> > iptables firewalling disabled. The following services are listening on
> > external network interfaces:
> > 
> > Port       State       Service
> > 22/tcp     open        ssh
> > 68/udp     open        dhcpclient
> > 111/tcp    open        sunrpc
> > 111/udp    open        sunrpc
> > 123/udp    open        ntp
> > 1010/udp   open        unknown
> > 6000/tcp   open        X11
> > 
> > ssh (we don't want to lock users out after an upgrade), ntp and dhcpclient
> > (both manually configured during install) are reasonably justified, IMHO,
> > but what is the justification for having rpc.statd, portmap and X11
> > listening by *default* (especially on a machine that hasn't been configured
> > to use NIS)?
> 
> rpc.statd and portmap aren't the exclusive domain of NIS.

Sure, but that was my best guess as to why they might be enabled by default
(but which would still be irrelevant to the installation scenario I gave).

> Both are enabled by default and used by NFS as client or server. I think
> they could be disabled by default instead of being enabled by default.
> 
> You can disable both services:
> 
> # chkconfig --level 12345 portmap off
> # chkconfig --level 12345 nfslock off
> 
> If you don't want the NFS server:
> 
> # chkconfig --level 12345 nfs off

*We* know this, but I suspect a large number of users don't and won't. I
wouldn't like for RH Linux to become the target of a worm with the impact of
Blaster, /even if/ the default RH firewall setup would prevent it, and errata
had already been released.

Leaving unnecessary ports open on a default install (firewall or not) is a
security and PR disaster waiting to happen, IMHO. There's no reason why a
install shouldn't be more tolerant of user stupidity, especially when
turning those services on is no more difficult than turning them off. ;-)

Best Regards,
Alex.

More information about the devel mailing list