https://community.hpe.com/t5/operating-system-hp-ux/change-port-for-rpc-mountd/m-p/3491070#M214910 Check your /etc/services file.<BR /><BR />NFS is inherently insecure and there is nothing you can do about it if you need to use NFS, which most HP-UX systems need at least the client portion.<BR /><BR />SEP Tue, 22 Feb 2005 15:24:18 GMT Steven E. Protter 2005-02-22T15:24:18Z https://community.hpe.com/t5/operating-system-hp-ux/change-port-for-rpc-mountd/m-p/3491069#M214909 Our systems get scanned by another group that uses ISS. We got the vulnerability:<BR /><BR />MountdReserved: NFS mount daemon operating on an non-reserved port<BR />(Yes the bad grammar was in there)<BR /><BR />Is there a way to change the port that rpc.mountd runs on so it's a privileged port? I don't see anything in the man pages and have never tried this before. I saw an earlier post from someone using TruUnix, but he said he used the "-p" option and it worked out. My man page for mountd shows that "-p" is obsolete (and when I tried it, rpc.mountd ran on about the same port).<BR /><BR />We're running HPUX 11.11. Fairly well patched-up. Tue, 22 Feb 2005 15:20:48 GMT https://community.hpe.com/t5/operating-system-hp-ux/change-port-for-rpc-mountd/m-p/3491069#M214909 Tom Fellowes 2005-02-22T15:20:48Z https://community.hpe.com/t5/operating-system-hp-ux/change-port-for-rpc-mountd/m-p/3491070#M214910 Check your /etc/services file.<BR /><BR />NFS is inherently insecure and there is nothing you can do about it if you need to use NFS, which most HP-UX systems need at least the client portion.<BR /><BR />SEP Tue, 22 Feb 2005 15:24:18 GMT https://community.hpe.com/t5/operating-system-hp-ux/change-port-for-rpc-mountd/m-p/3491070#M214910 Steven E. Protter 2005-02-22T15:24:18Z https://community.hpe.com/t5/operating-system-hp-ux/change-port-for-rpc-mountd/m-p/3491071#M214911 <BR />if you don't need NFS, then shut it down! <BR /><BR />"-p" is obsolete<BR /><BR />For HP-UX 11.00, 11.11, and 11.22:<BR />Apply the appropriate patch for your system, as listed in Hewlett-Packard Company Security Bulletin HPSBUX0308-272. See References.<BR />(<A href="http://xforce.iss.net/xforce/xfdb/347)" target="_blank">http://xforce.iss.net/xforce/xfdb/347)</A><BR /><BR /><BR />live free or die<BR />harry Tue, 22 Feb 2005 15:37:41 GMT https://community.hpe.com/t5/operating-system-hp-ux/change-port-for-rpc-mountd/m-p/3491071#M214911 harry d brown jr 2005-02-22T15:37:41Z https://community.hpe.com/t5/operating-system-hp-ux/change-port-for-rpc-mountd/m-p/3491072#M214912 Hi Tom,<BR /><BR />Well the standard NFS port is 2049/udp or 2049/tcp &amp; the status port 1110/udp with the keepalive 1110/tcp.<BR />These are the *standard* ports.<BR /><BR />If they are expecting you to run it on a port &lt; 1024 then NFS could *only* be used by root because *normal* users cannot access ports below that.<BR />Would kind of make automount &amp; autofs useless for those users.<BR /><BR />Rgds,<BR />Jeff Tue, 22 Feb 2005 15:41:33 GMT https://community.hpe.com/t5/operating-system-hp-ux/change-port-for-rpc-mountd/m-p/3491072#M214912 Jeff Schussele 2005-02-22T15:41:33Z https://community.hpe.com/t5/operating-system-hp-ux/change-port-for-rpc-mountd/m-p/3491073#M214913 The only ways to run a "secure" nfs is to either tunnel it through IP-SEC, or to install NFS version 4, and setup Kerberos authentication etc.<BR /><BR />You're biggest security hole when running NFS is not actually NFS itself, it's the "portmapper" service that it uses to advertise the available ports. Wed, 23 Feb 2005 02:39:41 GMT https://community.hpe.com/t5/operating-system-hp-ux/change-port-for-rpc-mountd/m-p/3491073#M214913 Andrew Cowan 2005-02-23T02:39:41Z