Re: NIS and NIS+ ephemeral ports

[Oliver_Friedrichs () NAI COM (Friedrichs, Oliver)]

> In effect this means that I can write scripts to connect directly to the
port
> and by-pass the portmapper.  Why is this bad?  Well because a lot of sites
> just block 111 (portmapper) and leave the rest open (ftp other stuff might
> need them).  In addition, since it doesn't run from inetd, I am pretty sure
> you can't run tcpwrappers.  Since it bypasses the portmapper, a secure
> portmapper isn't much good either.  So if I can guess the high port, I can,
> in the case of NIS, get the hashed passwds quite easily.

I would say this is "as-designed" (even though it has security
consequences).  Solaris starts allocating unreserved ports in the
32xxx range, other OS's start above 1024 (the only OS I know of which
actually allocates ports randomly is OpenBSD).  The intention of the port
allocation and the purpose of portmapper was never to provide security.
Unless you change your system configuration, those services will
probably always be listening on the same port.  While this isn't
exactly a benefit to security in this day and age, making the ports
random won't help either.  It's quite easy to find RPC services
without a portmapper running by finding open UDP ports, and then
interating through all known program/version numbers.

The solution comes down to blocking everything you don't need at
your firewall.

- Oliver
  Network Associates, Inc.