README for rpcbind 2.1 on Fri Apr 10 15:54:26 EDT 1998 Description ----------- This is an rpcbind replacement with tcp wrapper style access control. It provides a simple mechanism to discourage remote access to the NIS (YP), NFS, and other rpc services. This version is based on the freely-distributable tirpcsrc2.3 source distribution, as offered for anonymous FTP from playground.sun.com. According to the README: TIRPCSRC 2.3 29 Aug 1994 This distribution contains SunSoft's implementation of transport-independent RPC (TI-RPC), External Data Representation (XDR), and various utilities and documentation. These libraries and programs form the base of Open Network Computing (ONC), and are derived directly from the Solaris 2.3 source. This rpcbind release was tested by me on Solaris 2.4 and 2.6 for SPARC. Features -------- - host access control on IP addresses. The local host is considered authorized. Host access control requires the libwrap.a library that comes with recent tcp wrapper implementations. - requests that are forwarded by the rpcbind process will be forwarded through an unprivileged port. - the rpcbind process refuses to forward requests to rpc daemons that do (or should) verify the origin of the request: at present, the list includes most of the calls to the NFS mountd/nfsd daemons and the NIS daemons. - the rpcbind process refuses REMOTE requests sent to high-numbered UDP ports (instead of TCP or UDP ports 111). High-numbered ports are opened by the rpcbind server as a side effect of other activity. These ports could be abused to bypass packet filtering restrictions. See the advisory (and addendum) on http://www.secnet.com/ Restrictions ------------ The host access control code looks at IP addresses only. No protection against IP address spoofing attacks. Implementing this protection turns out to be harder than with my version 5 portmapper replacement, and I will not work on this until I have local access to the console of a Solaris machine. Proper router hygiene can alleviate the IP address spoofing problem. Limiting access to the rpcbind daemon does not protect you from direct attacks on the rpc daemons themselves; the main task of rpcbind is to maintain a table of available RPC services and of the network ports that they are listening on. On the other hand, even though rpcbind with access control only makes an attack more difficult, it still provides an excellent early warning system. Installation ------------ (1) Follow the instructions in the Makefile, then build the rpcbind executable. (2) Terminate (kill -TERM) the running rpcbind process. With "kill -TERM" the rpcbind daemon will save its state in files in /tmp. If you kill the rpcbind process without saving its tables you will have to reboot the machine. (3) Start the new rpcbind program with the -w (warmstart) option. This causes the program to initialize from the tables saved in step (2). In order to revert to the original rpcbind daemon, kill off the running one with "kill -TERM", and start the original one. Suggested entries for the host access-control files are: /etc/hosts.allow: rpcbind: your.sub.net.number/your.sub.net.mask rpcbind: 255.255.255.255 0.0.0.0 /etc/hosts.deny rpcbind: ALL: (/some/where/safe_finger -l @%h | /bin/mail root) & Safe_finger comes with later tcp/ip daemon wrapper releases. It gives better protection than the standard finger command. The syntax of the access-control files is described in the hosts_access.5 manual page that comes with the tcp/ip daemon wrapper (log_tcp) sources. The second line in the hosts.allow file may be needed in case there are unconfigured systems on your network segment. In order to avoid deadlocks, the rpcbind program does not attempt to look up the remote host name, nor will it try to match NIS netgroups. There is no need to specify the local system: since it runs the rpcbind daemon, it is authorized by definition. The reason for permitting whole networks in the hosts.allow file is that many systems produce broadcast rpc requests when booting. Testing: -------- Normally, only rejected requests will be reported via the syslog daemon. Logging is done in a child process, in order to avoid possible deadlock in case the logging code needs assistance from the rpcbind process. By default, the rpcbind process will be utterly silent. In fact, the rpcbind daemon is not consulted that often. Sending a SIGHUP signal to the rpcbind process will enable the logging of all requests. With verbose logging turned on, requests such as "showmount" or "rpcinfo" should show up with log file entries such as: MMM dd hh:mm:ss hostname rpcbind: connect from x.x.x.x to getport(mountd) MMM dd hh:mm:ss hostname rpcbind: connect from y.y.y.y to dump() MMM dd hh:mm:ss hostname rpcbind: connect from loopback(xxxx) to unset() In case of IP clients, the source IP address is logged; otherwise, the transport name and universal address are logged as transport(address). Send another SIGHUP to the rpcbind process to turn the verbose logging off. Acknowledgements: ----------------- Thanks to Robert Montjoy for helping with the port of my tirpcsrc1.0 patches to the tirpcsrc2.0 environment. Wietse Venema (wietse@wzv.win.tue.nl) Mathematics and Computing Science Eindhoven University of Technology The Netherlands