[284] in Coldmud discussion meeting

root meeting help first first in chain previous in chain previous next next in chain last in chain last

Re: ports

daemon@ATHENA.MIT.EDU (Fri May 20 12:06:42 1994 )

To: rayn@q.crossaccess.com (Ray Nawara jr.)
Cc: coldstuff@MIT.EDU
In-Reply-To: Your message of "Thu, 19 May 1994 10:47:18 PDT."
Date: Fri, 20 May 1994 12:00:35 -0400
From: Greg Hudson <ghudson@MIT.EDU>

Ray Nawara jr. writes:

> Well, this is just me being paranoid, but a portmapper type thing is
> a hackers dream come true... the less randome people know about the
> system the more secure it is.

Security through obscurity is no security at all.  It's quite easy to
write a program to connect to all ports on a system, at any rate.

Shell scripts run by the server run with the permissions of the uid
the server runs as.  If you leave the directory 'scripts' blank, it
will be impossible to run scripts from the server (although if I were
a concerned administrator, I'd probably disable the function in the
source code).

> And last nite at the colddark meeting it was mentioned that anyone
> who were able to spoof connections and such to a cold were probably
> not worth stopping

Forge IP addresses?  Difficult to do with TCP connections beyond the
first few packets, unless it's from a site that's down.

> another thing about portmappers. The general sun style portmapper
> for rpc is a problem with secrutiy because it can be tricked...

This is completely irrelevant; what you've said is about a particular
implementation of a service with the name "portmapper" whose
functionality has very little to do with what Lynx is proposing.

> as far as i can see, nothing real big uses anything about 2766,
> except in the 6xxx range, which includes X, and IRC. some MBone
> multicast stuff uses things in the 4000's, as well as 3456-7 and
> 9876, but I don't think these things are common, and seem to be only
> used at those specific sites. perhaps to be considered though.

There are various established services scattered in that range, and
people are fond of picking random four-digit numbers for experimental
services.  AFS uses 700x, although it's not an issue since it uses UDP
rather than TCP.  You are best off using one or two ports and a
multiplexing protocol, except where it's desirable to use an existing
protocol such as SMTP.