Chad C. Walstrom wrote: >On Mon, Mar 18, 2002 at 10:02:25PM -0600, Dave Erickson wrote: > >>Hi all, I am trying to lock my system down and have a quick question. >> >>After all i've done I still have two ports showing open, >> >>111/tcp open sunrpc >>6000/tcp open X11 >> >>I set /etc/hosts.deny to ALL:ALL am I vulnerable with these ports open? >>If so what is the best way to close them? >> > >sunrpc is for portmap. if you need NFS, you must run portmap. In >which case you need to add hosts.allow or hosts.deny lines for portmap. >Remember to use IP addresses and netmasks only for portmap. > > # hosts.allow > ALL: LOCAL > sshd: ALL > > # hosts.deny line > ALL: PARANOID > sshd: bad.host.tld > portmap: ALL 192.168.1.254 EXCEPT 192.168.1.0/24 > >The X11 is your X server. Use the "-nolisten tcp" option for your X >server in its respective startup script (i.e. gdm.conf, etc). Use ssh >X11 forwarding to display X apps from remote hosts. > >An alternative for NFS is to do NFS over tcp and use the SSL library or >sslwrap to encrypt the traffic. Then shut off all portmap except for >localhost, etc.... > >Good luck. Oh, and if worse comes to worse, use ip filters (ipchains or >iptables) to block traffic that libwrap can't catch. > Ok, I got rid of the portmapper as I don't need NFS at all. I am not really sure where to put the "-nolisten tcp" option though. I use GNOME but no the graphical login. Thanks for your help. -- Dave Erickson ( http://www.rightwithgod.org )