README for rpcbind 2.1 on Fri Apr 10 15:54:26 EDT 1998

Description 
-----------

This is an rpcbind replacement with tcp wrapper style access control.
It provides a simple mechanism to discourage remote access to the NIS
(YP), NFS, and other rpc services.

This version is based on the freely-distributable tirpcsrc2.3 source
distribution, as offered for anonymous FTP from playground.sun.com.
According to the README:

    TIRPCSRC 2.3 29 Aug 1994

    This distribution contains SunSoft's implementation of
    transport-independent RPC (TI-RPC), External Data Representation
    (XDR), and various utilities and documentation.  These libraries
    and programs form the base of Open Network Computing (ONC), and are
    derived directly from the Solaris 2.3 source.

This rpcbind release was tested by me on Solaris 2.4 and 2.6 for SPARC.

Features 
--------

- host access control on IP addresses. The local host is considered
authorized. Host access control requires the libwrap.a library that
comes with recent tcp wrapper implementations.

- requests that are forwarded by the rpcbind process will be forwarded
through an unprivileged port.

- the rpcbind process refuses to forward requests to rpc daemons that
do (or should) verify the origin of the request: at present, the list
includes most of the calls to the NFS mountd/nfsd daemons and the NIS
daemons.

- the rpcbind process refuses REMOTE requests sent to high-numbered
UDP ports (instead of TCP or UDP ports 111).  High-numbered ports
are opened by the rpcbind server as a side effect of other activity.
These ports could be abused to bypass packet filtering restrictions.
See the advisory (and addendum) on http://www.secnet.com/

Restrictions 
------------

The host access control code looks at IP addresses only.

No protection against IP address spoofing attacks. Implementing
this protection turns out to be harder than with my version 5
portmapper replacement, and I will not work on this until I have
local access to the console of a Solaris machine. Proper router
hygiene can alleviate the IP address spoofing problem.

Limiting access to the rpcbind daemon does not protect you from direct
attacks on the rpc daemons themselves; the main task of rpcbind is to
maintain a table of available RPC services and of the network ports
that they are listening on.

On the other hand, even though rpcbind with access control only makes
an attack more difficult, it still provides an excellent early warning
system.

Installation 
------------

(1) Follow the instructions in the Makefile, then build the rpcbind
executable.

(2) Terminate (kill -TERM) the running rpcbind process. With "kill
-TERM" the rpcbind daemon will save its state in files in /tmp.

If you kill the rpcbind process without saving its tables you will have
to reboot the machine.

(3) Start the new rpcbind program with the -w (warmstart) option. This
causes the program to initialize from the tables saved in step (2).

In order to revert to the original rpcbind daemon, kill off the running
one with "kill -TERM", and start the original one.

Suggested entries for the host access-control files are:

    /etc/hosts.allow:
	rpcbind: your.sub.net.number/your.sub.net.mask 
	rpcbind: 255.255.255.255 0.0.0.0

    /etc/hosts.deny
	rpcbind: ALL: (/some/where/safe_finger -l @%h | /bin/mail root) &

Safe_finger comes with later tcp/ip daemon wrapper releases. It gives
better protection than the standard finger command.

The syntax of the access-control files is described in the
hosts_access.5 manual page that comes with the tcp/ip daemon wrapper
(log_tcp) sources. The second line in the hosts.allow file may be
needed in case there are unconfigured systems on your network segment.

In order to avoid deadlocks, the rpcbind program does not attempt to
look up the remote host name, nor will it try to match NIS netgroups.
There is no need to specify the local system: since it runs the rpcbind
daemon, it is authorized by definition. The reason for permitting whole
networks in the hosts.allow file is that many systems produce broadcast
rpc requests when booting.

Testing:  
--------

Normally, only rejected requests will be reported via the syslog
daemon.  Logging is done in a child process, in order to avoid possible
deadlock in case the logging code needs assistance from the rpcbind
process.

By default, the rpcbind process will be utterly silent. In fact, the
rpcbind daemon is not consulted that often. Sending a SIGHUP signal to
the rpcbind process will enable the logging of all requests.

With verbose logging turned on, requests such as "showmount" or
"rpcinfo" should show up with log file entries such as:

 MMM dd hh:mm:ss hostname rpcbind: connect from x.x.x.x to getport(mountd)
 MMM dd hh:mm:ss hostname rpcbind: connect from y.y.y.y to dump()
 MMM dd hh:mm:ss hostname rpcbind: connect from loopback(xxxx) to unset()

In case of IP clients, the source IP address is logged; otherwise, the
transport name and universal address are logged as transport(address).

Send another SIGHUP to the rpcbind process to turn the verbose logging off.

Acknowledgements:
-----------------

Thanks to Robert Montjoy for helping with the port of my tirpcsrc1.0
patches to the tirpcsrc2.0 environment.

	Wietse Venema (wietse@wzv.win.tue.nl) 
	Mathematics and Computing
	Science Eindhoven University of Technology 
	The Netherlands
