Chris Davies wrote:
>
> Gil Shwed (gil @
checkpoint .
brm .
co .
il) wrote:
> : > router that blocks all IP packets for port 0-24,26-1024, leaving port
>
> : Moreover, in the design you quoted, you are leaving all ports >1024 open,
> : which leaves your system exposed and *vulnerable* to dangerours attacks:
> : 1. Cracking your yellow pages (NIS) databases. (RPC/UDP)
> : 2. Fetching Files (NFS)
> : 3. X11 attacks.
> : 4. Many other open services.
>
> Er, point (3) is fair enough (ports 6000-60nn and 7000) but why (1) and
> (2)? I thought that these RPC based services had to go via the
> portmapper (port 111)? Or is it that the actual services are on
> anonymous ports up in the >1024 range and that a port scanner could
> find them (eventually)?
>
(1) RPC services are on anonymous ports (they are *not* pre-determined),
the portmapper (sunrpc, port 111) is used only for the
program-number -> port-number mapping. Scanning is very easy since RPC
services usually find themselves on ports just over 1023. RPC/YP scanners
like these were used by Internet intruders, and had very successfull
results...
(2) Though NFS is RPC service, it uses port 2049 on standard systems.
(4) Many services also use >1023 ports. Recent Internet attacks
showed torjan horses getting through other holes (SMTP), waiting for
root shells from the net...
-- Gil Shwed
-- CheckPoint Software Technologies
Follow-Ups:
|
|
