[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Security issues and LDM (fwd)




===============================================================================
Robb Kambic                                Unidata Program Center
Software Engineer III                      Univ. Corp for Atmospheric Research
address@hidden             WWW: http://www.unidata.ucar.edu/
===============================================================================

---------- Forwarded message ----------
Date: Tue, 15 May 2001 17:05:55 -0500
From: David Wojtowicz <address@hidden>
To: address@hidden
Subject: Re: Security issues and LDM


We've had portmapper (port 111) blocked from outside access on our LDM
machines for more than a year now and that has not hindered anyone from
feeding from our LDM.   The only side effect is that blocking it doesn't
stop the remote LDM from trying to access it before defaulting to 388.
In fact it tries a good number of times.    Because our setup logs all
denied connections this generates several hundred excess messages in our
logs each day (which we have to filter out)


-- 
David Wojtowicz, Sr. Research Programmer
Department of Atmospheric Sciences
University of Illinois at Urbana-Champaign



on 5/15/2001 3:43 PM, Anne Wilson at address@hidden wrote:

> Jeff Wolfe wrote:
>> 
>> Hi folks,
>> 
>> I'm sure everyone is aware of the ever increasing number of worms and other
>> security compromises that are happening on the 'net these days. The local
>> security folks here want to put a blanket filter on our internet
>> connection for inbound port 111. The idea is that by filtering port 111, they
>> make it just a bit harder for the various miscreants to find vulnerable RPC
>> services.
>> 
>> I'm trying to understand what effects that will have on our LDM servers. I
>> vaguely remember running ldm for a while without having the /etc/rpc file
>> edited properly, but that was a long time ago. I'm thinking we'll be able to
>> connect to other servers, but nobody will be able to connect to us.
>> 
>> Longer term, has anyone considered what will happen with LDM as firewalls,
>> proxy servers and other security measures become more prevalent? RPC isn't
>> the
>> most firewall friendly protocol ever invented.
>> 
>> -JEff
> 
> 
> Hi Jeff,
> 
> The LDM does not require that port 111 be available as long as port 388
> is available, like others have said.  If port 388 was not available,
> then a remote LDM would try to contact the portmapper on port 111.  If
> neither are available it will give up.
> 
> Regarding the longer term, sure we're considering security issues.  But,
> the current design has served us well.  Lots of our sites have firewalls
> and run with no problem as long as port 388 is open.
> 
> Regarding being "firewall friendly", technically, the LDM is not an RPC
> service because it doesn't require the portmapper.  Instead, it is a
> "TCP service that uses RPC protocol encoding."  That is, it establishes
> the service on a fixed TCP port that clients try directly.
> 
> Anne



NOTE: All email exchanges with Unidata User Support are recorded in the Unidata inquiry tracking system and then made publicly available through the web. If you do not want to have your interactions made available in this way, you must let us know in each email you send to us.