Date: Mon, 14 Jun 1999 10:18:59 +0000 From: Matthew Seaman <m.seaman@inpharmatica.co.uk> To: Steve Grandi <grandi@noao.edu> Cc: obrien@NUXI.com, freebsd-stable@FreeBSD.ORG Subject: Re: amd and /etc/hosts.allow Message-ID: <3764D713.5D8322EE@inpharmatica.co.uk> References: <Pine.LNX.4.10.9906111525490.31042-100000@mirfak.tuc.noao.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
Steve Grandi wrote: > The portion of /etc/hosts.allow that refers to portmap sure appears to me > to be sufficient to let local hosts in: > > # Portmapper is used for all RPC services; protect your NFS! > #portmap : localhost : allow > #portmap : .noao.edu : allow > #portmap : .evil.cracker.example.com : deny > portmap : ALL : allow > > Any thoughts? The next time I can play with this system, I will start > portmap with -v to see if any log entries are interesting. The common experience on other Unices using portmap+tcp_wrappers is that you can only use the keyword "ALL" or IP address/mask pairs to protect portmap -- not host or domain names or NIS netgroups. This is documented in the README that comes with the original Wietse Venema portmap_5beta code, on which I believe FreeBSD portmap is based: ftp://ftp.porcupine.org/pub/security/portmap_5beta.tar.gz The README file says, in part: > Access control: > --------------- > > By default, host access control is enabled. However, the host that runs > the portmapper is always considered authorized. The host access control > tables are never consulted with requests from the local system itself; > they are always consulted with requests from other hosts. > > In order to avoid deadlocks, the portmap program does not attempt to > look up the remote host name or user name, nor will it try to match NIS > netgroups. The upshot of all this is that only network number patterns > will work for portmap access control. > > Sample entries for the host access-control files are: > > /etc/hosts.allow: > portmap: your.sub.net.number/your.sub.net.mask > portmap: 255.255.255.255 0.0.0.0 > > /etc/hosts.deny > portmap: ALL: (/some/where/safe_finger -l @%h | mail root) & > > The syntax of the access-control files is described in the > hosts_access.5 manual page that comes with the tcp wrapper (log_tcp) > sources. The safe_finger command comes with later wrapper releases. > > The first line in the hosts.allow file permits access from all systems > within your own subnet. Some rpc services rely on broadcasts and will > contact your portmapper anyway; and once an intruder has access to your > local network segment you're already in deep trouble. > > The second line in the hosts.allow file may be needed if there are > any PC-NFS systems on your network segment. > > For security reasons, the portmap process drops root privilegs after > initialization. The access control files should therefore be readable > for group or world. Unless FreeBSD has changed portmap's behaviour in this respect, I suppose it would be a good idea to make a note of this in the sample /etc/hosts.allow file and the portmap(8) man page. Matthew -- Certe, Toto, sentio nos in Kansate non iam adesse. Dr. Matthew Seaman, Inpharmatica Ltd, 60 Charlotte St, London, W1P 2AX Tel: +44 171 631 4644 x229 Fax: +44 171 631 4844 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3764D713.5D8322EE>