a handful of good responses. basically, I need rpcbind back if I want CDE on the console. also, I need to keep X11. if I had a newer version of Solaris (I'm not sure where it starts), then I can start X11 with "-nolisten tcp" and it will only be local. no way to do that on my version. some say that a server shouldn't have a GUI anyway. however, I have run into problems with some installs (e.g. Oracle) that require a GUI for their installer and use a Java client running on the server from the install CD. so, options are to (1) bring back some of what I have removed and make sure I'm up on patches, (2) skip the GUI, (3) proceed with installing and configuring IPFilter to cut of outside access to virtually everything. 3 is independent. do it in any case. replies from Casper Dik, Crist Clark, Daping Xia, Anthony D'Atri, Alekxander Pavic, Tony Schloss and Harvey Wamboldt. those with unique details are included below after my original message. --------------- Chris Hoogendyk - O__ ---- Network Specialist & Unix Systems Administrator c/ /'_ --- Library Information Systems & Technology Services (*) \(*) -- W.E.B. Du Bois Library ~~~~~~~~~~ - University of Massachusetts, Amherst <choogend@library.umass.edu> --------------- -------- Original Message -------- Subject: closing ports kills console Date: Tue, 18 May 2004 14:27:02 -0400 From: Chris Hoogendyk <choogend@library.umass.edu> To: Sun Managers <sunmanagers@sunmanagers.org> I've nearly completed my effort at closing ports using the proactive removal method (from inetd.conf, rc2.d, and rc3.d), and have yet to get into IPF. When I rebooted this morning, after having cleared a number of ports the last few days, I found that I could not log in on the console. I get the CDE login and it begins to set up the desktop, then it puts up an error message saying "the DT messaging system could not be started" and returns me to the login. I could select failsafe at the login, so I'm not locked out, but ... What do I need to have running to get this back? Then, how do I change whatever that is to be listening only on the localhost so that I don't have a port open to the outside? I did this sort of thing with mysql by putting a line in the my.cnf file specifying bind-address=127.0.0.1 Finally, the one port I still have open that I would like to close is 6000 -- X11. I would like to close that down to the outside world, but I'm a little concerned that it too will be wrapped up with CDE and I may kill my console again. TIA --------------- Chris Hoogendyk - O__ ---- Network Specialist & Unix Systems Administrator c/ /'_ --- Library Information Systems & Technology Services (*) \(*) -- W.E.B. Du Bois Library ~~~~~~~~~~ - University of Massachusetts, Amherst <choogend@library.umass.edu> --------------- _______________________________________________ sunmanagers mailing list sunmanagers@sunmanagers.org http://www.sunmanagers.org/mailman/listinfo/sunmanagers -------- Original Message -------- Subject: Re: closing ports kills console Date: Tue, 18 May 2004 20:36:26 +0200 From: Casper Dik <casper@holland.sun.com> To: Chris Hoogendyk <choogend@library.umass.edu> References: <40AA5576.4050605@library.umass.edu> <snip> Probably rpcbind; tooltalk needs RPC. Solaris Express (Solaris 10 pre-release) contains tcp wrapped rpcbind. <snip> Start Xsun through /etc/dt/bin/Xservers with -nolisten tcp (if your version of Solaris supports that; it was a fairly late addition) Casper -------- Original Message -------- Subject: Re: closing ports kills console Date: Tue, 18 May 2004 11:44:46 -0700 From: Crist Clark <crist.clark@globalstar.com> To: Chris Hoogendyk <choogend@library.umass.edu> References: <40AA5576.4050605@library.umass.edu> <snip> CDE won't start up without the RPC portmapper running, /etc/init.d/rpc. There is no way in Solaris <10 to change the listening address on it. CDE also may be a little funny since you've probably killed the Tool Talk DB server in inetd.conf, but that should not prevent it from starting. I've found it rather odd that it won't start without the RPC mapper running, but if the services it looks for through RPC are not there, it will still start up... So why did it need the portmapper? <snip> I think Sun finally added a -nolisten option to the X daemon, but can're recall if it starts in 8, 9, or Coming Real Soon in 10. -- Crist J. Clark crist.clark@globalstar.com Globalstar Communications (408) 933-4387 -------- Original Message -------- Subject: Re: closing ports kills console Date: Tue, 18 May 2004 16:31:53 -0700 From: Anthony D'Atri <aad@verio.net> To: Chris Hoogendyk <choogend@library.umass.edu> References: <40AA5576.4050605@library.umass.edu> <snip> Think seriously about turning off inetd entirely. <snip> CDE is a big ugly complex mess, and I didn't like it when HP called it VUE either. On Sun hardware I've always just used a normal X environment with, say, fvwm, invoked via xinit/xstart after login, not via some sort of risky xdm deal. <snip> One would hope that it would use only shared-memory or unix-domain socket transports for local client communication, but that's hard to know for sure. Is DISPLAY set to :0? -------- Original Message -------- Subject: RE: closing ports kills console Date: Wed, 19 May 2004 09:50:38 +0200 From: Pavic, Aleksander <Aleksander.Pavic@telekom.de> To: choogend@library.umass.edu Hi, I think you have disabled rpc to close rpc ports. But X needs rpc to work. Once you have rpc running you need to run /etc/rc2.d/S99dtlogin. IMPORTANT: If you intend to build a high security system you cannot allow X because of rpc. There is probably a way to configure rpc in a way that it cannot go through "local" borders. Try to use 'secure rpc' if you cannot find a solution for the 'normal rpc' system. HTH, Aleks -------- Original Message -------- Subject: Re: closing ports kills console Date: Wed, 19 May 2004 06:30:49 -0400 From: Tony_Schloss@ao.uscourts.gov To: Chris Hoogendyk <choogend@library.umass.edu> The below line is the only entry from /etc/inetd.conf that I still have enabled -- it's the only one needed to maintain the CDE capability. 100083/1 tli rpc/tcp wait root /usr/dt/bin/rpc.ttdbserverd rpc.ttdbserverd Note that CDE will also depend on other services (not inet-related), such as keeping RPC running (via the /etc/rc2.d/S71rpc startup script). There are other things you can do to keep a little tighter security on CDE logins, though. For example, you should have a file /etc/dt/config/Xaccess, with the following 2 lines (and only these 2 lines): !* !* CHOOSER BROADCAST You should also have a file /etc/dt/config/Xservers with the following line in it: :0 Local local_uid@console root /usr/openwin/bin/Xsun :0 -nobanner -nolisten tcp This last line is the important one for what you're asking, I think -- it's the one that keeps CDE from listening for other machines and offering an open port for them to come in. This file is available from /usr/dt/config/Xservers; all you need to do is copy it to /etc/dt/config, and add the "-nolisten tcp" option. Note that this is all for Solaris 9 -- if you have a different version, you may have other issues to deal with, and it's been a while since I worked with older versions of Solaris. HTH, Tony ~~~~~~~~~ Tony Schloss Web Administration Team OIT-IMD Judicial Data Center Administrative Offices of the U.S. Courts 202.502.2401 tony_schloss@ao.uscourts.gov "They that can give up essential liberty to obtain a little temporary safety deserve neither safety nor liberty. " - Benjamin Franklin -------- Original Message -------- Subject: Re: closing ports kills console Date: Wed, 19 May 2004 11:15:37 -0300 (ADT) From: Harvey Wamboldt <harvey@iotek.ns.ca> To: Chris Hoogendyk <choogend@library.umass.edu> References: <40AA5576.4050605@library.umass.edu> Is rpc.ttdbserverd running? I think I remember having this problem before. Installing the latest tooltalk patch fixed my particular problems. I never did figure out how to close off the port and still run CDE. If you figure it out, I'd be very interested in what you did. In my case I turned off CDE. Rgds, -H- _______________________________________________ sunmanagers mailing list sunmanagers@sunmanagers.org http://www.sunmanagers.org/mailman/listinfo/sunmanagersReceived on Wed May 19 15:40:16 2004
This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:43:31 EST