[lug] Firewall / Lockdown questions
Ben Whaley
bwhaley at gmail.com
Tue Jul 31 16:31:14 MDT 2007
> 1) is there any reason why nfslock should be running if i don't have nfs
> running? oddly enough the system installed by default to disable nfs yet
> enabled nfslock
You can safely disable nfslock if you're not using it.
> 2) Is there any reason why i want portmap running? I'm not sure but it
> looks like portmap was probably needed to serve the requests to nfs and
> nfslock which is possibly why it's enabled? What typical services is
> portmap a frontend for and is there a way to discover that on a running
> system:
>
I would strongly recommend disabling portmap if you're not using. It
is notoriously insecure due to weak authentication mechanisms and has
a history of vulnerabilities. It is used by NFS and NIS, among other
things.
> 3) Do i need to have this sendmail service enabled for simple outgoing
> mail as described? Basically how do i configure minimal outbound
> sendmail capability while keeping either:
>
> a) the port entirely closed / invisible (not sure if that's even possible) or
> b) locked down (visible and open but only sends from local host and
> accepts no inbound - i'm thinking this can be done in a config file
> without the need for iptables rules).
In /etc/mail/sendmail.mc there is a line that says something like:
dnl #DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl
Uncomment that line (i.e. remove "dnl #") and run: sudo make sendmail.mc
You will need the sendmail-cf package to do that.
- Ben
More information about the LUG
mailing list