HPE Community
Operating System - HP-UX
1832412 Members
3055 Online
110041 Solutions
New Discussion

Change port for rpc.mountd

 
Tom Fellowes
Advisor

‎02-22-2005 07:20 AM

‎02-22-2005 07:20 AM

Change port for rpc.mountd

Our systems get scanned by another group that uses ISS. We got the vulnerability:

MountdReserved: NFS mount daemon operating on an non-reserved port
(Yes the bad grammar was in there)

Is there a way to change the port that rpc.mountd runs on so it's a privileged port? I don't see anything in the man pages and have never tried this before. I saw an earlier post from someone using TruUnix, but he said he used the "-p" option and it worked out. My man page for mountd shows that "-p" is obsolete (and when I tried it, rpc.mountd ran on about the same port).

We're running HPUX 11.11. Fairly well patched-up.
0 Kudos
Reply
4 REPLIES 4
Steven E. Protter
Exalted Contributor

‎02-22-2005 07:24 AM

‎02-22-2005 07:24 AM

Re: Change port for rpc.mountd

Check your /etc/services file.

NFS is inherently insecure and there is nothing you can do about it if you need to use NFS, which most HP-UX systems need at least the client portion.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
harry d brown jr
Honored Contributor

‎02-22-2005 07:37 AM

‎02-22-2005 07:37 AM

Re: Change port for rpc.mountd


if you don't need NFS, then shut it down!

"-p" is obsolete

For HP-UX 11.00, 11.11, and 11.22:
Apply the appropriate patch for your system, as listed in Hewlett-Packard Company Security Bulletin HPSBUX0308-272. See References.
(http://xforce.iss.net/xforce/xfdb/347)


live free or die
harry
Live Free or Die
0 Kudos
Reply
Jeff Schussele
Honored Contributor

‎02-22-2005 07:41 AM

‎02-22-2005 07:41 AM

Re: Change port for rpc.mountd

Hi Tom,

Well the standard NFS port is 2049/udp or 2049/tcp & the status port 1110/udp with the keepalive 1110/tcp.
These are the *standard* ports.

If they are expecting you to run it on a port < 1024 then NFS could *only* be used by root because *normal* users cannot access ports below that.
Would kind of make automount & autofs useless for those users.

Rgds,
Jeff
PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!
0 Kudos
Reply
Andrew Cowan
Honored Contributor

‎02-22-2005 06:39 PM

‎02-22-2005 06:39 PM

Re: Change port for rpc.mountd

The only ways to run a "secure" nfs is to either tunnel it through IP-SEC, or to install NFS version 4, and setup Kerberos authentication etc.

You're biggest security hole when running NFS is not actually NFS itself, it's the "portmapper" service that it uses to advertise the available ports.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.