RH Taroon Beta Open Ports
David T Hollis
dhollis at davehollis.com
Mon Aug 25 17:05:57 UTC 2003
rhldevel at assursys.co.uk wrote:
>On Mon, 25 Aug 2003, Chris Ricker wrote:
>
>
>
>>On Mon, 25 Aug 2003 rhldevel at assursys.co.uk wrote:
>>
>>
>>
>>>There's always a trade-off between security and ease-of-use. What proportion
>>>of the installed base of Linux clients use RPC-based protocols? Not many I'd
>>>wager, suggesting that the trade-off can be biased towards security, with
>>>little-to-no impact on the majority of users.
>>>
>>>
>>Most Linux client systems, in my experience, are NFS clients and therefore
>>need portmap, statd, and lockd out-of-the-box.
>>
>>
>
>For libraries, labs, schools and universities, that wouldn't surprise me.
>Such organisations generally have good-to-excellent security awareness.
>
>But for small-to-medium businesses (who have the least security awareness
>and infrastructure) and home users (similarly), I'd categorically disagree.
>If any file/print sharing is happening in these environments, it's usually
>SMB based. Samba doesn't get enabled by default, so why the exception for
>portmap and rpc.statd?
>
>
>
>>later,
>>chris
>>
>>
>
>Best Regards,
>Alex.
>
>
>--
>Rhl-devel-list mailing list
>Rhl-devel-list at redhat.com
>http://www.redhat.com/mailman/listinfo/rhl-devel-list
>
>
Apache is quite possibly used in by more users than NFS and it is not
enabled by default either. I think that if portmap is really that
necessary, and I don't think it is, having it configured to only listen
on loopback - akin to the stock sendmail configuration - would be a good
step. If the admin wants to enable NFS, they tweak the config or a
sysconfig entry and voila, they are on the network. Asking an admin
that wants to use NFS to do a couple of chkconfig statements is not
much, especially when it reduces the network footprint of the stock install.
More information about the fedora-devel-list
mailing list