Date: Thu, 8 Mar 2001 10:28:07 -0800 From: "oldfart@gtonet" <oldfart@gtonet.net> To: <security@FreeBSD.ORG> Subject: RE: strange messages Message-ID: <BIEHKEFNHFMMJEKCDMLNAEBHCGAA.oldfart@gtonet.net> In-Reply-To: <20010308100755.A13090@Odin.AC.HMC.Edu>
next in thread | previous in thread | raw e-mail | index | archive | help
> -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Brooks Davis > Sent: Thursday, March 08, 2001 10:08 AM > To: oldfart@gtonet > Cc: security@FreeBSD.ORG > Subject: Re: strange messages > > > On Thu, Mar 08, 2001 at 08:08:45AM -0800, oldfart@gtonet wrote: > > Fair enough, I've blocked ports 111, 1011 + 1022, which seem to be > > portmapper(sunrpc) and rpc.stat according to /etc/services and sockstat > > respectively, at my firewall. If this *is* indeed an attempted exploit I > > *should* be dropping the packets and logging where it came from > if it's not > > spoofed. If I *do* end up with more of those errors then that > should prove > > it's *not* an exploit attempt, right? > > Blocking port 111 is a good idea, but blocking 1011 and 1022 is > pointless. RPC services bind to an arbitrary port and then register it > with the portmapper. There is no way to be sure that a given RPC > service will end up on the same port next time you boot. It's quite > trivial to probe for RPC services without portmapper's help. By > blocking portmapper, you will probably avoid the more stupid exploits, > but you may still see errors due to scans after reboot. > > -- Brooks > Yeah, luckily, I run FreeBSD so I don't have to reboot much and most exploits are for Linux. }:-)> It's not bad(TM) to block all ports that you don't need open, anyway, and since I only NFS to my local LAN blocking it sounded right. I mainly wanted to see if that would stop the error messages in question. A more permanent solution can be implemented at a later date. Can those RPC services be FORCED to run on a certain port or is that just superfluous because portmapper is blocked? It would make filtering/logging/reporting/busting easier. Thanks, OF > -- > Any statement of the form "X is the one, true Y" is FALSE. > PGP fingerprint 655D 519C 26A7 82E7 2529 9BF0 5D8E 8BE9 F238 1AD4 > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?BIEHKEFNHFMMJEKCDMLNAEBHCGAA.oldfart>