HELP !! How to block port 111 - rpcbind at solaris 8,9 10 servers
underh20.s...@gmail.com
restrict access to TCP and UDP ports 111 where portmapper is
listening.
Can one stop the "rpcbind" service ? If not, what's the workaround to
block this port ?
The "lsof -i:111" output below indicates the PID to be owned by /usr/
sbin/rpcbind. Can someone reassign rpcbind to run on another port or
stop it entirely?
# rpcinfo -p
program vers proto port service
100000 4 tcp 111 rpcbind
100000 3 tcp 111 rpcbind
100000 2 tcp 111 rpcbind
100000 4 udp 111 rpcbind
100000 3 udp 111 rpcbind
100000 2 udp 111 rpcbind
# lsof -i:111
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
rpcbind 517 root 3u IPv4 0x30000435838 0t0 UDP *:sunrpc
(Idle)
rpcbind 517 root 6u IPv4 0x300001caf30 0t0 TCP *:sunrpc
(LISTEN)
# ps -ef | grep 517
root 517 1 0 Mar 13? 0:00 /usr/sbin/rpcbind
Thanks for your assistance,
Bill
Mr. G D Geen
> We have servers running solaris 8, 9 or 10. Our mgnt wants us to
> restrict access to TCP and UDP ports 111 where portmapper is
> listening.
> Can one stop the "rpcbind" service ? If not, what's the workaround to
> block this port ?
>
> The "lsof -i:111" output below indicates the PID to be owned by /usr/
> sbin/rpcbind. Can someone reassign rpcbind to run on another port or
> stop it entirely?
>
Do you or your management understand the purpose of the RPC port? Do
you understand how many networking protocols use RPC? If you run NIS or
NIS+, or NFS you need the RPC. Other software such as Oracle use RPC.
Check /etc/rpc for a list of protocols.
In Solaris 10, you use `svcadm disable /nentwork/rpc/bin:default`
For a list of rpc services, `svcs -a |grep rpc`
-G
Oscar del Rio
> We have servers running solaris 8, 9 or 10. Our mgnt wants us to
> restrict access to TCP and UDP ports 111 where portmapper is
> listening.
easy, block access with ipfilter.
Tim Bradshaw
> Can one stop the "rpcbind" service ? If not, what's the workaround to
> block this port ?
You can probably stop it, but if you do then no RPC-based servers will
work, so things like NFS and NIS will not work. On pre 10 machines
you'd need to find the init script which runs it, on 10 (and after...)
it will be a service and svcadm would stop it. You can not run it on
another port because RPC clients know to talk to this port.
I would *strongly* suggest trying stopping it on a scratch machine
first to see if the machine vaguely works: it's not clear to me that
it will. For instance on a Solaris 10 machine I have there are 19
services which depend on rpcbind, including svc:/milestone/multi-
user:default, so if I disable it I imagine the machine will not be
able to come up multiuser.
A better approach might be a firewall which blocks that port.
--tim
Mark
-Mark
"Thommy M. Malmström"
> We have servers running solaris 8, 9 or 10. Our mgnt wants us to
> restrict access to TCP and UDP ports 111 where portmapper is
> listening.
man hosts.allow
> Can one stop the "rpcbind" service ? If not, what's the workaround to
> block this port ?
>
Don't block it. Too much depends on it. Deny access in a controlled way.
Oscar del Rio
> underh20.s...@gmail.com wrote:
>> We have servers running solaris 8, 9 or 10. Our mgnt wants us to
>> restrict access to TCP and UDP ports 111 where portmapper is
>> listening.
>
> man hosts.allow
Not in Solaris 8 (probably not in Solaris 9 either) unless you
replace the rpcbind binary with a version that is tcpwrapper aware.
Thommy M.
Man, am I forgetting fast... You're right. But there's ssh packages for
that available.
Richard B. gilbert
I'd suggest a "white mutiny" policy here. If management insists, get it
in writing and comply! Blind obedience and management can then live
with the consequences.
Another alternative is to look for a job at a company with smarter
management.