From owner-freebsd-stable  Wed Aug  1  6: 8:46 2001
Delivered-To: freebsd-stable@freebsd.org
Received: from fledge.watson.org (fledge.watson.org [204.156.12.50])
	by hub.freebsd.org (Postfix) with ESMTP
	id B27E537B403; Wed,  1 Aug 2001 06:08:39 -0700 (PDT)
	(envelope-from robert@fledge.watson.org)
Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3])
	by fledge.watson.org (8.11.4/8.11.4) with SMTP id f71D8Tf59418;
	Wed, 1 Aug 2001 09:08:29 -0400 (EDT)
	(envelope-from robert@fledge.watson.org)
Date: Wed, 1 Aug 2001 09:08:29 -0400 (EDT)
From: Robert Watson <rwatson@FreeBSD.ORG>
X-Sender: robert@fledge.watson.org
To: Nate Williams <nate@yogotech.com>
Cc: arch@FreeBSD.ORG, stable@FreeBSD.ORG
Subject: Re: Disabling portmapper (was Re: Patch to modify default inetd.conf, have sysinstall prompt to edit , inetd.conf)
In-Reply-To: <15207.35178.61523.131897@nomad.yogotech.com>
Message-ID: <Pine.NEB.3.96L.1010801090749.59100F-100000@fledge.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-stable.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-stable>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-stable>
X-Loop: FreeBSD.ORG


On Tue, 31 Jul 2001, Nate Williams wrote:

> > One of the observations that has been made fairly frequently to me is that
> > the current default inetd.conf puts many FreeBSD users at risk
> > unnecessarily, as many of them have moved to using SSH for remote access
> > needs.  In particular in light of the recent ftpd and telnetd security
> > bugs, it seems like 4.4-RELEASE would be a good time to move to a more
> > conservative default of having both of these services disabled in the base
> > install, as both NetBSD and OpenBSD have moved to doing.
> 
> In the same vein, shouldn't we also have the portmapper 'disabled' out
> of the box by default?  I know we haven't (yet) had any remote exploits
> like Linux, but it may only be a matter of time.
> 
> Plus, the crap filling up the logs could be argued as a type of DoS.

I'd be tempted to disable the portmapper (rpcbind in -CURRENT) by default,
allowing it to either be manually enabled, or enabled by virtue of
dependencies (something we already support).

Robert N M Watson             FreeBSD Core Team, TrustedBSD Project
robert@fledge.watson.org      NAI Labs, Safeport Network Services



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message