Chris Davies wrote:
> Gil Shwed (gil @
> : > router that blocks all IP packets for port 0-24,26-1024, leaving port
> : Moreover, in the design you quoted, you are leaving all ports >1024 open,
> : which leaves your system exposed and *vulnerable* to dangerours attacks:
> : 1. Cracking your yellow pages (NIS) databases. (RPC/UDP)
> : 2. Fetching Files (NFS)
> : 3. X11 attacks.
> : 4. Many other open services.
> Er, point (3) is fair enough (ports 6000-60nn and 7000) but why (1) and
> (2)? I thought that these RPC based services had to go via the
> portmapper (port 111)? Or is it that the actual services are on
> anonymous ports up in the >1024 range and that a port scanner could
> find them (eventually)?
(1) RPC services are on anonymous ports (they are *not* pre-determined),
the portmapper (sunrpc, port 111) is used only for the
program-number -> port-number mapping. Scanning is very easy since RPC
services usually find themselves on ports just over 1023. RPC/YP scanners
like these were used by Internet intruders, and had very successfull
(2) Though NFS is RPC service, it uses port 2049 on standard systems.
(4) Many services also use >1023 ports. Recent Internet attacks
showed torjan horses getting through other holes (SMTP), waiting for
root shells from the net...
-- Gil Shwed
-- CheckPoint Software Technologies