[security-discuss] portmapper

Fri, 08 Jun 2007 16:58:45 -0700 

Dirk Wetter wrote:
> Hi,
> 
> I remember a discussion a while back about the portmapper
> still running in the secure by default configuration. IIRC
> somebody said it is protected by tcp wrapper rules and only
> accessible from localhost per default to allow legacy service
> the access.
> 
> On a freshly installed snv_65 this is not the case:
> 
> mybox:~ # nmap -A remotehost
> 
> Starting Nmap 4.20 ( http://insecure.org ) at 2007-06-08 18:38 CEST
> Interesting ports on remotehost (192.168.110.20):
> Not shown: 1695 closed ports
> PORT    STATE SERVICE VERSION
> 22/tcp  open  ssh     SunSSH 1.1 (protocol 2.0)
> 111/tcp open  rpcbind  2-4 (rpc #100000)
> MAC Address: 00:D0:59:B6:82:11 (Ambit Microsystems)
> Device type: general purpose
> Running: Sun Solaris 9|10
> OS details: Sun Solaris 9 or 10
> Uptime: 0.318 days (since Fri Jun  8 11:01:20 2007)
> Network Distance: 1 hop
> 
> OS and Service detection performed. Please report any incorrect results at
> http://insecure.org/nmap/submit/ .
> Nmap finished: 1 IP address (1 host up) scanned in 53.233 seconds
> myhost:~ # rpcinfo -p remotehost
>    program vers proto   port
>     100000    4   tcp    111  portmapper
>     100000    3   tcp    111  portmapper
>     100000    2   tcp    111  portmapper
>     100000    4   udp    111  portmapper
>     100000    3   udp    111  portmapper
>     100000    2   udp    111  portmapper
> myhost:~ #
> 
> 
> Is this a regression or is my memory wrong?

Your memory is correct. Secure by Default leaves rcpbind enabled (so 
nmap will show port 111 as open), but it will only accept requests from 
the local system. You can verify that rpcbind is in local-only mode as 
follows:

# svccfg -s rpc/bind listprop config/local_only
config/local_only  boolean  true

So your nmap output is not surprising, but rpcinfo from a remote system 
should look like this:

$ rpcinfo -p remotehost
rpcinfo: can't contact portmapper: RPC: Authentication error; why = 
Failed (unspecified error)

Since your system is responding to remote rpcinfo requests, it appears 
that config/local_only is set to false. This may have occurred as a side 
effect of enabling other services that require rpcbind. For example, 
mounting or exporting an NFS file system would have this effect.

        Scott

Reply via email to