One could reduce portmapper/rpcbind exposure by configuring hosts.deny
and hosts.allow to disable access to ports 111 and 388 to ALL, and
enabling access to 111 and 388 to upstream/downstream sites. (I'm
confident that rpcbind is generally TCPwrappers-enabled on supported
platforms; anyone know if LDM is?)
Bret
On Mon, 2009-09-28 at 16:21 -0500, Peter Laws wrote:
> Tyler Allison wrote:
> > I've run LDM without portmapper/rpcbind given they are both ginormous
> > security risks. It delays the startup/shutdown and other admin functions
> > since LDM tries to RPC but fails, then it tries again, etc...until it
> > figures out it is never going to work and defaults to 388 and everything
> > works fine afterwards.
> >
> > Personally, I'd rather see it assume 388 and fall back to
> > portmapper/rpcbind in the event of 388 failure, but that's just me :)
>
> Actually, Steve E wrote to me off-list and indicated that this is exactly
> how it works. Change in the code at some point??
>
> I'd still like to disable it. :-)
>