Date: Thu, 8 Mar 2001 12:45:36 -0600 From: Scott Johnson <sjohn@airlinksys.com> To: security@freebsd.org Subject: Re: strange messages Message-ID: <20010308124536.A23112@ns2.airlinksys.com> In-Reply-To: <BIEHKEFNHFMMJEKCDMLNCEBBCGAA.oldfart@gtonet.net>; from oldfart@gtonet.net on Thu, Mar 08, 2001 at 08:08:45AM -0800 References: <20010308164406.A383@nebula.cybercable.fr> <BIEHKEFNHFMMJEKCDMLNCEBBCGAA.oldfart@gtonet.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Quoth oldfart@gtonet on Thu, Mar 08, 2001 at 08:08:45AM -0800:
>
> Fair enough, I've blocked ports 111, 1011 + 1022, which seem to be
> portmapper(sunrpc) and rpc.stat according to /etc/services and sockstat
> respectively, at my firewall. If this *is* indeed an attempted exploit I
> *should* be dropping the packets and logging where it came from if it's not
> spoofed. If I *do* end up with more of those errors then that should prove
> it's *not* an exploit attempt, right?
RPC ports are dynamically assigned, and portmapper (rpcbind) is the
process that gives out the addresses for rpc services. So blocking the
port used today won't work, since it may be different the next time the
process starts. Which goes to show: You should be denying everything by
default at your firewall, and allowing only what you need. What if the
attempt (assuming this was a remote exploit attempt) was successful? You'd
be a day late.
--
Scott Johnson
System/Network Administrator
Airlink Systems
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010308124536.A23112>