22.08 Jammy Downloads - why are NFS and OpenVPN servers installed?

[sfx2000]

Grabbed the latest Jammy download for NanoPi Neo 2 - https://redirect.armbian.com/nanopineo2/Jammy_current

 

Have to ask - why servers preinstalled and default configured?

 

I found NFS/rpcbind and OpenVPN preinstalled on the image - this is a security risk that can be easily avoided.

[Igor]

6 hours ago, sfx2000 said:

Have to ask - why servers preinstalled and default configured?

Idea was to provide client part, so I don't know why server was also there.

 

If you agree with the change, comment & approve: https://github.com/armbian/build/pull/4162

[sfx2000]

Thanks.

 

 

[cvxx]

Sorry for bumping, but I have just tried Armbian_23.02.2_Pine64_jammy_current_5.15.93.img and there is rpcbind started on boot and listening on all interfaces:

 

root@pine64:~# netstat -atnp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      694/rpcbind         
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      695/systemd-resolve 
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1426/sshd: /usr/sbi 
tcp6       0      0 :::111                  :::*                    LISTEN      694/rpcbind         
tcp6       0      0 :::22                   :::*                    LISTEN      1426/sshd: /usr/sbi 

 

I think this is a security risk

Edited March 28, 2023 by cvxx

[Werner]

Seems like nfs-common depends on rpc-bind which is the reason this is pre-installed. So multiple ways to address:

 

- leave it as it is

- remove nfs-common and therefore rpc-bind

- provide custom config to make rpc-bind listen to localhost only (which could confuse users who'd expect default behavior instead on installation)