[lug] Firewall / Lockdown questions

Ben Whaley bwhaley at gmail.com
Tue Jul 31 16:31:14 MDT 2007


> 1) is there any reason why nfslock should be running if i don't have nfs
> running? oddly enough the system installed by default to disable nfs yet
> enabled nfslock

You can safely disable nfslock if you're not using it.


> 2) Is there any reason why i want portmap running?  I'm not sure but it
> looks like portmap was probably needed to serve the requests to nfs and
> nfslock which is possibly why it's enabled?  What typical services is
> portmap a frontend for and is there a way to discover that on a running
> system:
>

I would strongly recommend disabling portmap if you're not using. It
is notoriously insecure due to weak authentication mechanisms and has
a history of vulnerabilities. It is used by NFS and NIS, among other
things.


> 3) Do i need to have this sendmail service enabled for simple outgoing
> mail as described?   Basically how do i configure minimal outbound
> sendmail capability while keeping either:
>
> a) the port entirely closed / invisible (not sure if that's even possible) or
> b) locked down (visible and open but only sends from local host and
> accepts no inbound - i'm thinking this can be done in a config file
> without the need for iptables rules).

In /etc/mail/sendmail.mc there is a line that says something like:

dnl #DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl

Uncomment that line (i.e. remove "dnl #") and run: sudo make sendmail.mc

You will need the sendmail-cf package to do that.

- Ben



More information about the LUG mailing list