RH Taroon Beta Open Ports

David T Hollis dhollis at davehollis.com
Mon Aug 25 17:05:57 UTC 2003


rhldevel at assursys.co.uk wrote:

>On Mon, 25 Aug 2003, Chris Ricker wrote:
>
>  
>
>>On Mon, 25 Aug 2003 rhldevel at assursys.co.uk wrote:
>>
>>    
>>
>>>There's always a trade-off between security and ease-of-use. What proportion
>>>of the installed base of Linux clients use RPC-based protocols? Not many I'd
>>>wager, suggesting that the trade-off can be biased towards security, with
>>>little-to-no impact on the majority of users.
>>>      
>>>
>>Most Linux client systems, in my experience, are NFS clients and therefore 
>>need portmap, statd, and lockd out-of-the-box.
>>    
>>
>
>For libraries, labs, schools and universities, that wouldn't surprise me.
>Such organisations generally have good-to-excellent security awareness.
>
>But for small-to-medium businesses (who have the least security awareness
>and infrastructure) and home users (similarly), I'd categorically disagree.
>If any file/print sharing is happening in these environments, it's usually
>SMB based. Samba doesn't get enabled by default, so why the exception for
>portmap and rpc.statd?
>
>  
>
>>later,
>>chris
>>    
>>
>
>Best Regards,
>Alex.
>
>
>--
>Rhl-devel-list mailing list
>Rhl-devel-list at redhat.com
>http://www.redhat.com/mailman/listinfo/rhl-devel-list
>  
>
Apache is quite possibly used in by more users than NFS and it is not 
enabled by default either.  I think that if portmap is really that 
necessary, and I don't think it is, having it configured to only listen 
on loopback - akin to the stock sendmail configuration - would be a good 
step.  If the admin wants to enable NFS, they tweak the config or a 
sysconfig entry and voila, they are on the network.  Asking an admin 
that wants to use NFS to do a couple of chkconfig statements is not 
much, especially when it reduces the network footprint of the stock install.





More information about the devel mailing list