Date: Thu, 8 Mar 2001 10:07:55 -0800 From: Brooks Davis <brooks@one-eyed-alien.net> To: "oldfart@gtonet" <oldfart@gtonet.net> Cc: security@FreeBSD.ORG Subject: Re: strange messages Message-ID: <20010308100755.A13090@Odin.AC.HMC.Edu> In-Reply-To: <BIEHKEFNHFMMJEKCDMLNCEBBCGAA.oldfart@gtonet.net>; from oldfart@gtonet.net on Thu, Mar 08, 2001 at 08:08:45AM -0800 References: <20010308164406.A383@nebula.cybercable.fr> <BIEHKEFNHFMMJEKCDMLNCEBBCGAA.oldfart@gtonet.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--jRHKVT23PllUwdXP Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Mar 08, 2001 at 08:08:45AM -0800, oldfart@gtonet wrote: > Fair enough, I've blocked ports 111, 1011 + 1022, which seem to be > portmapper(sunrpc) and rpc.stat according to /etc/services and sockstat > respectively, at my firewall. If this *is* indeed an attempted exploit I > *should* be dropping the packets and logging where it came from if it's n= ot > spoofed. If I *do* end up with more of those errors then that should prove > it's *not* an exploit attempt, right? Blocking port 111 is a good idea, but blocking 1011 and 1022 is pointless. RPC services bind to an arbitrary port and then register it with the portmapper. There is no way to be sure that a given RPC service will end up on the same port next time you boot. It's quite trivial to probe for RPC services without portmapper's help. By blocking portmapper, you will probably avoid the more stupid exploits, but you may still see errors due to scans after reboot. -- Brooks --=20 Any statement of the form "X is the one, true Y" is FALSE. PGP fingerprint 655D 519C 26A7 82E7 2529 9BF0 5D8E 8BE9 F238 1AD4 --jRHKVT23PllUwdXP Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6p8p6XY6L6fI4GtQRAllcAJ4hhLZeCJDSLI2NP3a1fAgZY9diZgCcCOJP nofuRVpFDFINSg6jLMKuIjg= =KbxK -----END PGP SIGNATURE----- --jRHKVT23PllUwdXP-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010308100755.A13090>