[Summary] closing ports kills console

From: Chris Hoogendyk <choogend_at_library.umass.edu>
Date: Wed May 19 2004 - 15:40:21 EDT
a handful of good responses.

basically, I need rpcbind back if I want CDE on the console. also, I 
need to keep X11. if I had a newer version of Solaris (I'm not sure 
where it starts), then I can start X11 with "-nolisten tcp" and it will 
only be local. no way to do that on my version.

some say that a server shouldn't have a GUI anyway. however, I have run 
into problems with some installs (e.g. Oracle) that require a GUI for 
their installer and use a Java client running on the server from the 
install CD.

so, options are to (1) bring back some of what I have removed and make 
sure I'm up on patches, (2) skip the GUI, (3) proceed with installing 
and configuring IPFilter to cut of outside access to virtually 
everything. 3 is independent. do it in any case.

replies from Casper Dik, Crist Clark, Daping Xia, Anthony D'Atri, 
Alekxander Pavic, Tony Schloss and Harvey Wamboldt. those with unique 
details are included below after my original message.



---------------

Chris Hoogendyk

-
    O__  ---- Network Specialist & Unix Systems Administrator
   c/ /'_ --- Library Information Systems & Technology Services
  (*) \(*) -- W.E.B. Du Bois Library
~~~~~~~~~~ - University of Massachusetts, Amherst

<choogend@library.umass.edu>

---------------



-------- Original Message --------
Subject: closing ports kills console
Date: Tue, 18 May 2004 14:27:02 -0400
From: Chris Hoogendyk <choogend@library.umass.edu>
To: Sun Managers <sunmanagers@sunmanagers.org>

I've nearly completed my effort at closing ports using the proactive
removal method (from inetd.conf, rc2.d, and rc3.d), and have yet to get
into IPF.

When I rebooted this morning, after having cleared a number of ports the
last few days, I found that I could not log in on the console. I get the
CDE login and it begins to set up the desktop, then it puts up an error
message saying "the DT messaging system could not be started" and
returns me to the login. I could select failsafe at the login, so I'm
not locked out, but ...

What do I need to have running to get this back? Then, how do I change
whatever that is to be listening only on the localhost so that I don't
have a port open to the outside? I did this sort of thing with mysql by
putting a line in the my.cnf file specifying bind-address=127.0.0.1

Finally, the one port I still have open that I would like to close is
6000 -- X11. I would like to close that down to the outside world, but
I'm a little concerned that it too will be wrapped up with CDE and I may
kill my console again.

TIA


---------------

Chris Hoogendyk

-
    O__  ---- Network Specialist & Unix Systems Administrator
   c/ /'_ --- Library Information Systems & Technology Services
  (*) \(*) -- W.E.B. Du Bois Library
~~~~~~~~~~ - University of Massachusetts, Amherst

<choogend@library.umass.edu>

---------------
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers





-------- Original Message --------
Subject: Re: closing ports kills console
Date: Tue, 18 May 2004 20:36:26 +0200
From: Casper Dik <casper@holland.sun.com>
To: Chris Hoogendyk <choogend@library.umass.edu>
References: <40AA5576.4050605@library.umass.edu>


<snip>

Probably rpcbind; tooltalk needs RPC.

Solaris Express (Solaris 10 pre-release) contains tcp wrapped rpcbind.

<snip>

Start Xsun through /etc/dt/bin/Xservers with -nolisten tcp (if your
version of Solaris supports that; it was a fairly late addition)


Casper





-------- Original Message --------
Subject: Re: closing ports kills console
Date: Tue, 18 May 2004 11:44:46 -0700
From: Crist Clark <crist.clark@globalstar.com>
To: Chris Hoogendyk <choogend@library.umass.edu>
References: <40AA5576.4050605@library.umass.edu>


<snip>

CDE won't start up without the RPC portmapper running, /etc/init.d/rpc.
There is no way in Solaris <10 to change the listening address on it.

CDE also may be a little funny since you've probably killed the Tool
Talk DB server in inetd.conf, but that should not prevent it from
starting. I've found it rather odd that it won't start without the
RPC mapper running, but if the services it looks for through RPC are
not there, it will still start up... So why did it need the portmapper?

<snip>

I think Sun finally added a -nolisten option to the X daemon, but
can're recall if it starts in 8, 9, or Coming Real Soon in 10.
-- 
Crist J. Clark                               crist.clark@globalstar.com
Globalstar Communications                                (408) 933-4387





-------- Original Message --------
Subject: Re: closing ports kills console
Date: Tue, 18 May 2004 16:31:53 -0700
From: Anthony D'Atri <aad@verio.net>
To: Chris Hoogendyk <choogend@library.umass.edu>
References: <40AA5576.4050605@library.umass.edu>


<snip>

Think seriously about turning off inetd entirely.

<snip>

CDE is a big ugly complex mess, and I didn't like it when HP called it
VUE either.  On Sun hardware I've always just used a normal X
environment with, say, fvwm, invoked via xinit/xstart after login, not
via some sort of risky xdm deal.

<snip>

One would hope that it would use only shared-memory or unix-domain
socket transports for local client communication, but that's hard to
know for sure.  Is DISPLAY set to :0?





-------- Original Message --------
Subject: 	RE: closing ports kills console
Date: 	Wed, 19 May 2004 09:50:38 +0200
From: 	Pavic, Aleksander <Aleksander.Pavic@telekom.de>
To: 	choogend@library.umass.edu



Hi,
I think you have disabled rpc to close rpc ports. But X needs rpc to work.
Once you have rpc running you need to run /etc/rc2.d/S99dtlogin.

IMPORTANT:
If you intend to build a high security system you cannot allow X because
of rpc.
There is probably a way to configure rpc in a way that it cannot go
through "local" borders.
Try to use 'secure rpc' if you cannot find a solution for the 'normal
rpc' system.

HTH,
Aleks





-------- Original Message --------
Subject: Re: closing ports kills console
Date: Wed, 19 May 2004 06:30:49 -0400
From: Tony_Schloss@ao.uscourts.gov
To: Chris Hoogendyk <choogend@library.umass.edu>

The below line is the only entry from /etc/inetd.conf that I still have
enabled -- it's the only one needed to maintain the CDE capability.
         100083/1        tli     rpc/tcp wait root
/usr/dt/bin/rpc.ttdbserverd rpc.ttdbserverd
Note that CDE will also depend on other services (not inet-related), such
as keeping RPC running (via the /etc/rc2.d/S71rpc startup script).

There are other things you can do to keep a little tighter security on CDE
logins, though.  For example, you should have a file
/etc/dt/config/Xaccess, with the following 2 lines (and only these 2
lines):
         !*
         !*     CHOOSER BROADCAST
You should also have a file /etc/dt/config/Xservers with the following
line in it:
    :0   Local local_uid@console root /usr/openwin/bin/Xsun :0 -nobanner
-nolisten tcp
This last line is the important one for what you're asking, I think --
it's the one that keeps CDE from listening for other machines and offering
an open port for them to come in.  This file is available from
/usr/dt/config/Xservers; all you need to do is copy it to /etc/dt/config,
and add the "-nolisten tcp" option.

Note that this is all for Solaris 9 -- if you have a different version,
you may have other issues to deal with, and it's been a while since I
worked with older versions of Solaris.


HTH,
Tony
~~~~~~~~~
Tony Schloss
Web Administration Team
OIT-IMD Judicial Data Center
Administrative Offices of the U.S. Courts
202.502.2401
tony_schloss@ao.uscourts.gov

"They that can give up essential liberty to obtain a little
temporary safety deserve neither safety nor liberty. "
           - Benjamin Franklin




-------- Original Message --------
Subject: Re: closing ports kills console
Date: Wed, 19 May 2004 11:15:37 -0300 (ADT)
From: Harvey Wamboldt <harvey@iotek.ns.ca>
To: Chris Hoogendyk <choogend@library.umass.edu>
References: <40AA5576.4050605@library.umass.edu>

Is rpc.ttdbserverd running?  I think I remember having this
problem before.  Installing the latest tooltalk patch fixed
my particular problems.  I never did figure out how to close
off the port and still run CDE.  If you figure it out, I'd
be very interested in what you did.  In my case I turned off
CDE.

Rgds,

-H-
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
Received on Wed May 19 15:40:16 2004

This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:43:31 EST