Date: Thu, 8 Mar 2001 12:45:36 -0600 From: Scott Johnson <sjohn@airlinksys.com> To: security@freebsd.org Subject: Re: strange messages Message-ID: <20010308124536.A23112@ns2.airlinksys.com> In-Reply-To: <BIEHKEFNHFMMJEKCDMLNCEBBCGAA.oldfart@gtonet.net>; from oldfart@gtonet.net on Thu, Mar 08, 2001 at 08:08:45AM -0800 References: <20010308164406.A383@nebula.cybercable.fr> <BIEHKEFNHFMMJEKCDMLNCEBBCGAA.oldfart@gtonet.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Quoth oldfart@gtonet on Thu, Mar 08, 2001 at 08:08:45AM -0800: > > Fair enough, I've blocked ports 111, 1011 + 1022, which seem to be > portmapper(sunrpc) and rpc.stat according to /etc/services and sockstat > respectively, at my firewall. If this *is* indeed an attempted exploit I > *should* be dropping the packets and logging where it came from if it's not > spoofed. If I *do* end up with more of those errors then that should prove > it's *not* an exploit attempt, right? RPC ports are dynamically assigned, and portmapper (rpcbind) is the process that gives out the addresses for rpc services. So blocking the port used today won't work, since it may be different the next time the process starts. Which goes to show: You should be denying everything by default at your firewall, and allowing only what you need. What if the attempt (assuming this was a remote exploit attempt) was successful? You'd be a day late. -- Scott Johnson System/Network Administrator Airlink Systems To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010308124536.A23112>