From owner-freebsd-questions@FreeBSD.ORG Thu Oct 9 06:35:13 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 683BF16A4B3 for ; Thu, 9 Oct 2003 06:35:13 -0700 (PDT) Received: from shaft.techsupport.co.uk (shaft.techsupport.co.uk [212.250.77.214]) by mx1.FreeBSD.org (Postfix) with ESMTP id DC41543FF2 for ; Thu, 9 Oct 2003 06:35:11 -0700 (PDT) (envelope-from setantae@submonkey.net) Received: from cpc3-cdif2-5-0-cust222.cdif.cable.ntl.com ([81.101.152.222] helo=shrike.submonkey.net ident=mailnull) by shaft.techsupport.co.uk with esmtp (TLSv1:DHE-RSA-AES256-SHA:256) (Exim 4.24; FreeBSD 4.9) id 1A7awg-000NYY-7f; Thu, 09 Oct 2003 14:35:10 +0100 Received: from setantae by shrike.submonkey.net with local (Exim 4.24; FreeBSD 4.9) id 1A7awb-000KU4-6Z; Thu, 09 Oct 2003 14:35:05 +0100 Date: Thu, 9 Oct 2003 14:35:05 +0100 From: Ceri Davies To: Charles Howse Message-ID: <20031009133505.GD32124@submonkey.net> References: <20031009105138.GC7709@rot13.obsecurity.org> <005d01c38e5f$36fbba10$04fea8c0@moe> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="LyciRD1jyfeSSjG0" Content-Disposition: inline In-Reply-To: <005d01c38e5f$36fbba10$04fea8c0@moe> X-PGP: finger ceri@FreeBSD.org User-Agent: Mutt/1.5.4i Sender: Ceri Davies cc: freebsd-questions@freebsd.org Subject: Re: Unusual logcheck entry X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Oct 2003 13:35:13 -0000 --LyciRD1jyfeSSjG0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Oct 09, 2003 at 07:16:45AM -0500, Charles Howse wrote: > > On Thu, Oct 09, 2003 at 05:43:31AM -0500, Charles Howse wrote: > > > The following appeared in /var/log/messages in my daily=20 > > logcheck report: > > >=20 > > > Oct 8 20:38:47 curly rpc.statd: invalid hostname to sm_stat: > > >=20 > > ^X???^X???^Z???^Z???%8x%8x%8x%8x%8x%8x%8x%8x%8x%62716x%hn%5185 > > 9x%hnM-^PM > > > At that time, I was sitting on the couch watching the Cubs play the > > > Marlins. > > > Any idea what this means? > >=20 > > This is an attempt to exploit an old Linux rpc.statd > > vulnerability..see the mailing list archives for extensive discussion > > a few years ago. >=20 > OK, I got some good info from the archives. > I realize this is a harmless attack if running FBSD. > I also realize that I shouldn't be running rpc on an interface facing > the internet. > For various reasons, this server is outside my hardware firewall, and > I'm not interested in configuring a software firewall. > Correct me if I'm wrong, but it looks to me like rpc.statd is related > (at least) to NFS. > I've placed the line "nfs_server_flags=3D"-h 192.168.254.2" in my > /etc/rc.conf, and rebooted. > I've also edited /etc/ssh/sshd_config, and told it to listen only on > 192.168.254.2, and not allow root logins. > Am I now protected from this attack? (note rpc.stat lines below) You were anyway; this never affected FreeBSD. However, I'd also add portmap_flags=3D"-h 192.168.254.2" to your rc.conf if I were you. I'd also reconsider the decision not to run a firewall. Ceri --=20 --LyciRD1jyfeSSjG0 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQE/hWQIocfcwTS3JF8RAiH4AKC3Y30Joi6WSxExQeN3Y2IcFvyRsACdHsoG nRWoJHYJBC5O93iEQDX8TaE= =GEbC -----END PGP SIGNATURE----- --LyciRD1jyfeSSjG0--