|
Home > Archive > Unix administration > March 2007 > HELP !! How to block port 111 - rpcbind at solaris 8,9 10 servers
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
HELP !! How to block port 111 - rpcbind at solaris 8,9 10 servers
|
|
| underh20.scubadiving@gmail.com 2007-03-13, 7:17 pm |
| We have servers running solaris 8, 9 or 10. Our mgnt wants us to
restrict access to TCP and UDP ports 111 where portmapper is
listening.
Can one stop the "rpcbind" service ? If not, what's the workaround to
block this port ?
The "lsof -i:111" output below indicates the PID to be owned by /usr/
sbin/rpcbind. Can someone reassign rpcbind to run on another port or
stop it entirely?
# rpcinfo -p
program vers proto port service
100000 4 tcp 111 rpcbind
100000 3 tcp 111 rpcbind
100000 2 tcp 111 rpcbind
100000 4 udp 111 rpcbind
100000 3 udp 111 rpcbind
100000 2 udp 111 rpcbind
# lsof -i:111
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
rpcbind 517 root 3u IPv4 0x30000435838 0t0 UDP *:sunrpc
(Idle)
rpcbind 517 root 6u IPv4 0x300001caf30 0t0 TCP *:sunrpc
(LISTEN)
# ps -ef | grep 517
root 517 1 0 Mar 13? 0:00 /usr/sbin/rpcbind
Thanks for your assistance,
Bill
| |
| Mr. G D Geen 2007-03-13, 7:17 pm |
| underh20.scubadiving@gmail.com wrote:
> We have servers running solaris 8, 9 or 10. Our mgnt wants us to
> restrict access to TCP and UDP ports 111 where portmapper is
> listening.
> Can one stop the "rpcbind" service ? If not, what's the workaround to
> block this port ?
>
> The "lsof -i:111" output below indicates the PID to be owned by /usr/
> sbin/rpcbind. Can someone reassign rpcbind to run on another port or
> stop it entirely?
>
Do you or your management understand the purpose of the RPC port? Do
you understand how many networking protocols use RPC? If you run NIS or
NIS+, or NFS you need the RPC. Other software such as Oracle use RPC.
Check /etc/rpc for a list of protocols.
In Solaris 10, you use `svcadm disable /nentwork/rpc/bin:default`
For a list of rpc services, `svcs -a |grep rpc`
-G
| |
| Oscar del Rio 2007-03-13, 7:17 pm |
| underh20.scubadiving@gmail.com wrote:
> We have servers running solaris 8, 9 or 10. Our mgnt wants us to
> restrict access to TCP and UDP ports 111 where portmapper is
> listening.
easy, block access with ipfilter.
| |
| Thommy M. Malmström 2007-03-14, 1:24 pm |
| underh20.scubadiving@gmail.com wrote:
> We have servers running solaris 8, 9 or 10. Our mgnt wants us to
> restrict access to TCP and UDP ports 111 where portmapper is
> listening.
man hosts.allow
> Can one stop the "rpcbind" service ? If not, what's the workaround to
> block this port ?
>
Don't block it. Too much depends on it. Deny access in a controlled way.
> The "lsof -i:111" output below indicates the PID to be owned by /usr/
> sbin/rpcbind. Can someone reassign rpcbind to run on another port or
> stop it entirely?
>
>
> # rpcinfo -p
> program vers proto port service
> 100000 4 tcp 111 rpcbind
> 100000 3 tcp 111 rpcbind
> 100000 2 tcp 111 rpcbind
> 100000 4 udp 111 rpcbind
> 100000 3 udp 111 rpcbind
> 100000 2 udp 111 rpcbind
>
>
> # lsof -i:111
> COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
> rpcbind 517 root 3u IPv4 0x30000435838 0t0 UDP *:sunrpc
> (Idle)
> rpcbind 517 root 6u IPv4 0x300001caf30 0t0 TCP *:sunrpc
> (LISTEN)
>
>
> # ps -ef | grep 517
> root 517 1 0 Mar 13? 0:00 /usr/sbin/rpcbind
>
>
> Thanks for your assistance,
>
> Bill
>
| |
| Oscar del Rio 2007-03-14, 1:24 pm |
| Thommy M. Malmström wrote:
> underh20.scubadiving@gmail.com wrote:
>
> man hosts.allow
Not in Solaris 8 (probably not in Solaris 9 either) unless you
replace the rpcbind binary with a version that is tcpwrapper aware.
| |
| Thommy M. 2007-03-15, 7:24 pm |
| Oscar del Rio wrote:
> Thommy M. Malmström wrote:
>
> Not in Solaris 8 (probably not in Solaris 9 either) unless you
> replace the rpcbind binary with a version that is tcpwrapper aware.
Man, am I forgetting fast... You're right. But there's ssh packages for
that available.
| |
| Richard B. gilbert 2007-03-16, 1:19 pm |
| Mr. G D Geen wrote:
> underh20.scubadiving@gmail.com wrote:
>
>
> Do you or your management understand the purpose of the RPC port? Do
> you understand how many networking protocols use RPC? If you run NIS or
> NIS+, or NFS you need the RPC. Other software such as Oracle use RPC.
> Check /etc/rpc for a list of protocols.
>
> In Solaris 10, you use `svcadm disable /nentwork/rpc/bin:default`
> For a list of rpc services, `svcs -a |grep rpc`
>
> -G
I'd suggest a "white mutiny" policy here. If management insists, get it
in writing and comply! Blind obedience and management can then live
with the consequences.
Another alternative is to look for a job at a company with smarter
management.
| |
| Michael Vilain 2007-03-17, 1:27 am |
| In article <45FAAF6E.1040003@comcast.net>,
"Richard B. gilbert" <rgilbert88@comcast.net> wrote:
> Mr. G D Geen wrote:
>
> I'd suggest a "white mutiny" policy here. If management insists, get it
> in writing and comply! Blind obedience and management can then live
> with the consequences.
>
> Another alternative is to look for a job at a company with smarter
> management.
Something like this happened to a colleague when he was an admin at LSI
Logic. Their network was a real hodge podge of bridged segments that
sort of grew out of unplanned primordial slime. They had a really
dangerous numbnuts for a boss who thought he knew about network design
and security.
Numbnuts ordered a router between 2 networks to be configured to no
longer bridge the two segments. The admin told him "that's not a good
idea and here's why". He even wrote a full document on why and cc-ed
Numbnuts' boss. He was told "Just do it." by the enraged boss. So the
admin did. Then he went on 2-week vacation, knowing that since he was
the only person who knew the network topology and how to fix the routers
would cause two departments to become totally isolated.
When the admin got back, he was ordered in Numbnuts' office, where he
promptly handed the guy his letter of resignation. It seems the boss
was going to fire him for "screwing up their network" for two weeks. HR
sympathized with the admin at his exit interview that he was just
"following orders", but he could have done it in a more politically
astute way.
Within a month of this incident, the entire system admin staff quit and
walked out en-masse. Before LSI Logic restaffed, I think they found
another opportunity for Numbnuts--one that involved no direct reports.
Having it in writing won't make it any easier to fire you. It may get
you some money if you sue for wrongful termination. But that's sort of
a career limiting move, don't you think.
--
DeeDee, don't press that button! DeeDee! NO! Dee...
|
|
|
|
|