From owner-freebsd-questions  Wed Apr 25  6: 2:52 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from mail2.wmptl.com (mail2.wmptl.com [216.94.6.26])
	by hub.freebsd.org (Postfix) with ESMTP id 7220037B424
	for <questions@freebsd.org>; Wed, 25 Apr 2001 06:02:49 -0700 (PDT)
	(envelope-from webmaster@wmptl.com)
Received: from wmptl.com ([10.0.0.168])
	by mail2.wmptl.com (8.9.3/8.9.3) with ESMTP id JAA18278;
	Wed, 25 Apr 2001 09:00:43 -0400 (EDT)
	(envelope-from webmaster@wmptl.com)
Message-ID: <3AE6C9E6.EE943B7@wmptl.com>
Date: Wed, 25 Apr 2001 08:58:14 -0400
From: Nathan Vidican <webmaster@wmptl.com>
X-Mailer: Mozilla 4.7 [en] (Win95; U)
X-Accept-Language: en
MIME-Version: 1.0
To: Mark Drayton <mark.drayton@4thwave.co.uk>
Cc: questions@freebsd.org
Subject: Re: Continously getting error 'rpc.statd: invalid hostname to sm_stat: 
 ...' could it be a DOS attack? (solution)
References: <200104231831.OAA47437@mail2.wmptl.com> <01042310270701.01587@galaxy.anchoragerescue.org> <20010423225359.A14549@tethys.valhalla.net>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

Mark Drayton wrote:
> 
> Beech Rintoul (akbeech@anchoragerescue.org) wrote:
> > On Monday 23 April 2001 10:31, Nathan Vidican wrote:
> > > We have been, (for several weeks now), been getting the error
> > > message (logged to both the console, and /var/log/messages) as
> > > follows:
> 
> [snip linux rpc.statd overflow log message]
> 
> > It' a hack attempt with an old Linux kiddie script. Never affected
> > FreeBSD, and no longer works on Linux. I wouldn't worry about it, we
> > get that three or four times a day.
> 
> You should firewall off access to your NFS daemons and get
> some kind of intrusion detection system (such as snort) to log the
> source address of these attacks. NFS daemons should not be accessible
> from the internet.
> 
> --
> 
> Mark Drayton
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-questions" in the body of the message

Just a note for those who are lurking or following this thread, I did
both. I reconfig'd the kernel to add support for ipfirewall, and made a
quick firewall script to disallow all traffic except for email, web,
dns, squid, and ftp, as well as to log all other denied tcp traffic. No
problems since then (thus far). Also think the other issue wherein the
server kept crapping out had to do with the quality of the NIC; since we
replaced it with an intel (fxp) card we've had no problems.
	Anyhow, that's what our solution turned out to be. -Later

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message