README for rpcbind 1.1 on Fri Dec 9 17:34:12 MET 1994 Description ----------- This is an rpcbind replacement with tcp wrapper style access control. It provides a simple mechanism to discourage remote access to the NIS (YP), NFS, and other rpc services. Alas, the Solaris 2.4 rpcbind will still export file systems to the world through proxy rpc. This version is based on the freely-distributable tirpcsrc2.3 source distribution, as offered for anonymous FTP from playground.sun.com. According to the README: TIRPCSRC 2.3 29 Aug 1994 This distribution contains SunSoft's implementation of transport-independent RPC (TI-RPC), External Data Representation (XDR), and various utilities and documentation. These libraries and programs form the base of Open Network Computing (ONC), and are derived directly from the Solaris 2.3 source. The program has undergone limited testing with SunOS 5.3 (Solaris 2.3). It is obviously very compatible with Solaris 2.3. It will probably work as well with earlier Solaris 2.x versions. Features -------- - host access control on IP addresses. The local host is considered authorized. Host access control requires the libwrap.a library that comes with recent tcp wrapper implementations. - requests that are forwarded by the rpcbind process will be forwarded through an unprivileged port. - the rpcbind process refuses to forward requests to rpc daemons that do (or should) verify the origin of the request: at present, the list includes most of the calls to the NFS mountd/nfsd daemons and the NIS daemons. Restrictions ------------ The host access control code looks at IP addresses only. Limiting access to the rpcbind daemon does not protect you from direct attacks on the rpc daemons themselves; the main task of rpcbind is to maintain a table of available RPC services and of the network ports that they are listening on. On the other hand, even though rpcbind with access control only makes an attack more difficult, it still provides an excellent early warning system. Installation ------------ (1) Follow the instructions in the Makefile, then build the rpcbind executable. (2) Terminate (kill -TERM) the running rpcbind process. With "kill -TERM" the rpcbind daemon will save its state in files in /tmp. If you kill the rpcbind process without saving its tables you will have to reboot the machine. (3) Start the new rpcbind program with the -w (warmstart) option. This causes the program to initialize from the tables saved in step (2). In order to revert to the original rpcbind daemon, kill off the running one with "kill -TERM", and start the original one. Suggested entries for the host access-control files are: /etc/hosts.allow: rpcbind: your.sub.net.number/your.sub.net.mask rpcbind: 255.255.255.255 0.0.0.0 /etc/hosts.deny rpcbind: ALL: (/some/where/safe_finger -l @%h | /bin/mail root) & Safe_finger comes with later tcp/ip daemon wrapper releases. It gives better protection than the standard finger command. The syntax of the access-control files is described in the hosts_access.5 manual page that comes with the tcp/ip daemon wrapper (log_tcp) sources. The second line in the hosts.allow file may be needed in case there are unconfigured systems on your network segment. For security reasons, the rpcbind process does not run as root. The access control files should therefore be world-readable. In order to avoid deadlocks, the rpcbind program does not attempt to look up the remote host name, nor will it try to match NIS netgroups. There is no need to specify the local system: since it runs the rpcbind daemon, it is authorized by definition. The reason for permitting whole networks in the hosts.allow file is that many systems produce broadcast rpc requests when booting. Testing: -------- Normally, only rejected requests will be reported via the syslog daemon. Logging is done in a child process, in order to avoid possible deadlock in case the logging code needs assistance from the rpcbind process. By default, the rpcbind process will be utterly silent. In fact, the rpcbind daemon is not consulted that often. Sending a SIGHUP signal to the rpcbind process will enable the logging of all requests. With verbose logging turned on, requests such as "showmount" or "rpcinfo" should show up with log file entries such as: MMM dd hh:mm:ss hostname rpcbind: connect from x.x.x.x to getport(mountd) MMM dd hh:mm:ss hostname rpcbind: connect from y.y.y.y to dump() MMM dd hh:mm:ss hostname rpcbind: connect from loopback(xxxx) to unset() In case of IP clients, the source IP address is logged; otherwise, the transport name and universal address are logged as transport(address). Send another SIGHUP to the rpcbind process to turn the verbose logging off. Acknowledgements: ----------------- Thanks to Robert Montjoy for helping with the port of my tirpcsrc1.0 patches to the tirpcsrc2.0 environment. Wietse Venema (wietse@wzv.win.tue.nl) Mathematics and Computing Science Eindhoven University of Technology The Netherlands