HPE Community
Operating System - HP-UX
1833784 Members
2467 Online
110063 Solutions
New Discussion

How is possible to Protect portmap ?

 
Giuseppe_13
Frequent Advisor

‎09-27-2005 09:37 PM

‎09-27-2005 09:37 PM

How is possible to Protect portmap ?

Is it possible to restrict access to the portmap service configuring an Access List ?

Exemple: it is possible to restrict access to the telnet, ftp, remsh, rexec, rlogin, configuring an Access List in file /var/adm/inetd.sec

Hhow about portmap ?
Thanks
0 Kudos
Reply
10 REPLIES 10
VEL_1
Valued Contributor

‎09-27-2005 09:44 PM

‎09-27-2005 09:44 PM

Re: How is possible to Protect portmap ?

Hi,

You can do it based on service name. See the following link:

http://docs.hp.com/en/B2355-90685/ch02s04.html

0 Kudos
Reply
Muthukumar_5
Honored Contributor

‎09-27-2005 09:46 PM

‎09-27-2005 09:46 PM

Re: How is possible to Protect portmap ?

I think, inetd.sec will restrict any service access from remote manner.

-- machine 1 /var/adm/inetd.sec --
portmap deny

# restart inetd
inetd -c

Try to mount machine1's share in machine2 and access it.

hth.
Easy to suggest when don't know about the problem!
0 Kudos
Reply
Muthukumar_5
Honored Contributor

‎09-27-2005 09:49 PM

‎09-27-2005 09:49 PM

Re: How is possible to Protect portmap ?

Sorry. You have to deny service to rpcbind which is an alias as,

rpcbind 100000 portmap sunrpc rpcbind

Try to block in /var/adm/inetd.sec with rpcbind service.

rpcbind deny

hth.
Easy to suggest when don't know about the problem!
0 Kudos
Reply
Arunvijai_4
Honored Contributor

‎09-27-2005 09:56 PM

‎09-27-2005 09:56 PM

Re: How is possible to Protect portmap ?

You can do the same with TCP-Wrappers,

http://hpux.connect.org.uk/hppd/hpux/Networking/Admin/tcp_wrappers-7.6/

-Arun
"A ship in the harbor is safe, but that is not what ships are built for"
0 Kudos
Reply
Giuseppe_13
Frequent Advisor

‎09-27-2005 10:41 PM

‎09-27-2005 10:41 PM

Re: How is possible to Protect portmap ?

After /var/adm/inetd.sec configuration with the string:

rpcbind deny hostname,

how I can to verify if is deny the access to the portmap service to the hostname ?

0 Kudos
Reply
Muthukumar_5
Honored Contributor

‎09-27-2005 10:47 PM

‎09-27-2005 10:47 PM

Re: How is possible to Protect portmap ?

You can export a file system and mount it from remote machine.

# Machine1 - local machine
# mkdir /tmp/testfs
# touch /tmp/testfs/okie
# exportfs -iv /tmp/testfs

# Machine2 - Remote Machine
# mkdir /tmp/mountfs
# mount machine1:/tmp/testfs /tmp/mountfs

# From Machine1
# rpcinfo -p machine2

# From Machine2
# rpcinfo -p machine1

Are you seeing rpcbind there ?

hth.
Easy to suggest when don't know about the problem!
0 Kudos
Reply
Giuseppe_13
Frequent Advisor

‎09-27-2005 11:07 PM

‎09-27-2005 11:07 PM

Re: How is possible to Protect portmap ?

Test executed:

in Machine1 /var/adm/inetd.sec:
rpcbind deny Machine2

Machine1 - local machine
# mkdir /tmp/testfs OK
# touch /tmp/testfs/okie OK
# exportfs -iv /tmp/testfs OK

# Machine2 - Remote Machine
# mkdir /tmp/mountfs
# mount machine1:/tmp/testfs /tmp/mountfs :

ic9sh14_root> mount 138.132.95.55:/tmp/testfs /tmp/mountfs
nfs mount: get_fh: 138.132.95.55:: RPC: Program not registered
nfs mount: get_fh: 138.132.95.55:: RPC: Program not registered
nfs mount: retry: retrying(1) for: /tmp/mountfs after 5 seconds
nfs mount: retry: giving up on: /tmp/mountfs
ic9sh14_root> rpcinfo -p 138.132.95.55 (Machine1)
program vers proto port service
100000 4 tcp 111 rpcbind
100000 3 tcp 111 rpcbind
100000 2 tcp 111 rpcbind
100000 4 udp 111 rpcbind
100000 3 udp 111 rpcbind
100000 2 udp 111 rpcbind
805306352 1 tcp 883
100068 2 udp 49153 cmsd
100068 2 tcp 951 cmsd
100068 3 udp 49153 cmsd
100068 3 tcp 951 cmsd
100068 4 udp 49153 cmsd
100068 4 tcp 951 cmsd
100068 5 udp 49153 cmsd
100068 5 tcp 951 cmsd
ic9sh14_root>

ic2su006 # rpcinfo -p 138.132.95.43 (Machine2)
program vers proto port service
100000 4 tcp 111 rpcbind
100000 3 tcp 111 rpcbind
100000 2 tcp 111 rpcbind
100000 4 udp 111 rpcbind
100000 3 udp 111 rpcbind
100000 2 udp 111 rpcbind
100024 1 tcp 49152 status
100024 1 udp 49153 status
100021 1 tcp 49153 nlockmgr
100021 1 udp 49156 nlockmgr
100021 3 tcp 49154 nlockmgr
100021 3 udp 49157 nlockmgr
100021 4 tcp 49155 nlockmgr
100021 4 udp 49158 nlockmgr
100020 1 udp 4045 llockmgr
100020 1 tcp 4045 llockmgr
100021 2 tcp 49156 nlockmgr
100068 2 udp 49163 cmsd
100068 3 udp 49163 cmsd
100068 4 udp 49163 cmsd
100068 5 udp 49163 cmsd
805306352 1 tcp 924
100005 1 udp 49319 mountd
100005 3 udp 49319 mountd
100005 1 tcp 49214 mountd
100005 3 tcp 49214 mountd
100003 2 udp 2049 nfs
100003 3 udp 2049 nfs



Not OK.

giuseppe
0 Kudos
Reply
Arunvijai_4
Honored Contributor

‎09-27-2005 11:10 PM

‎09-27-2005 11:10 PM

Re: How is possible to Protect portmap ?

Try with TCP-Wrappers, its very easy to configure. Take a look at TCP-Wrapper's man page for more details..

http://hpux.connect.org.uk/hppd/hpux/Networking/Admin/tcp_wrappers-7.6/man.html

-Arun
"A ship in the harbor is safe, but that is not what ships are built for"
0 Kudos
Reply
Muthukumar_5
Honored Contributor

‎09-27-2005 11:14 PM

‎09-27-2005 11:14 PM

Re: How is possible to Protect portmap ?

Check this:

nfs mount: get_fh: 138.132.95.55:: RPC: Program not registered
nfs mount: get_fh: 138.132.95.55:: RPC: Program not registered
nfs mount: retry: retrying(1) for: /tmp/mountfs after 5 seconds
nfs mount: retry: giving up on: /tmp/mountfs
ic9sh14_root> rpcinfo -p 138.132.95.55 (Machine1)

It is blocking to mount machine1 source rgt. Just revert the scenario that remove rpcbind from machine1's /var/adm/inetd.sec and reconfigure inetd (inetd -c).

# Now try to mount it. Is it succeeded.

If it is succeeded then rpcbind is restricted with nfs level.

hth.
Easy to suggest when don't know about the problem!
0 Kudos
Reply
Muthukumar_5
Honored Contributor

‎09-27-2005 11:17 PM

‎09-27-2005 11:17 PM

Re: How is possible to Protect portmap ?

Just another information that,

# Try the mounting without rpcbind restriction

# Try the mounting with rpcbind restriction with the following,

a) restart nfs.server, nfs.client service in local machine.
b) collect rpcinfo -p from machine1 also.

hth.
Easy to suggest when don't know about the problem!
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.