Re: RH Taroon Beta Open Ports

[David T Hollis <dhollis davehollis com>]

rhldevel assursys co uk wrote:

> On Mon, 25 Aug 2003, Chris Ricker wrote:
>
>  
>
> > On Mon, 25 Aug 2003 rhldevel assursys co uk wrote:
> >
> >    
> >
> > > There's always a trade-off between security and ease-of-use. What proportion
> > > of the installed base of Linux clients use RPC-based protocols? Not many I'd
> > > wager, suggesting that the trade-off can be biased towards security, with
> > > little-to-no impact on the majority of users.
> > >      
> > Most Linux client systems, in my experience, are NFS clients and therefore 
> > need portmap, statd, and lockd out-of-the-box.
> >    
>
> For libraries, labs, schools and universities, that wouldn't surprise me.
> Such organisations generally have good-to-excellent security awareness.
>
> But for small-to-medium businesses (who have the least security awareness
> and infrastructure) and home users (similarly), I'd categorically disagree.
> If any file/print sharing is happening in these environments, it's usually
> SMB based. Samba doesn't get enabled by default, so why the exception for
> portmap and rpc.statd?
>
>  
>
> > later,
> > chris
> >    
>
> Best Regards,
> Alex.
>
>
> --
> Rhl-devel-list mailing list
> Rhl-devel-list redhat com
> http://www.redhat.com/mailman/listinfo/rhl-devel-list
>  
Apache is quite possibly used in by more users than NFS and it is not 
enabled by default either.  I think that if portmap is really that 
necessary, and I don't think it is, having it configured to only listen 
on loopback - akin to the stock sendmail configuration - would be a good 
step.  If the admin wants to enable NFS, they tweak the config or a 
sysconfig entry and voila, they are on the network.  Asking an admin 
that wants to use NFS to do a couple of chkconfig statements is not 
much, especially when it reduces the network footprint of the stock install.