From owner-freebsd-security  Thu Mar  8 10: 8:13 2001
Delivered-To: freebsd-security@freebsd.org
Received: from odin.ac.hmc.edu (Odin.AC.HMC.Edu [134.173.32.75])
	by hub.freebsd.org (Postfix) with ESMTP id 0D5E337B719
	for <security@FreeBSD.ORG>; Thu,  8 Mar 2001 10:08:10 -0800 (PST)
	(envelope-from brdavis@odin.ac.hmc.edu)
Received: (from brdavis@localhost)
	by odin.ac.hmc.edu (8.11.0/8.11.0) id f28I7tj27026;
	Thu, 8 Mar 2001 10:07:55 -0800
Date: Thu, 8 Mar 2001 10:07:55 -0800
From: Brooks Davis <brooks@one-eyed-alien.net>
To: "oldfart@gtonet" <oldfart@gtonet.net>
Cc: security@FreeBSD.ORG
Subject: Re: strange messages
Message-ID: <20010308100755.A13090@Odin.AC.HMC.Edu>
References: <20010308164406.A383@nebula.cybercable.fr> <BIEHKEFNHFMMJEKCDMLNCEBBCGAA.oldfart@gtonet.net>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5;
	protocol="application/pgp-signature"; boundary="jRHKVT23PllUwdXP"
Content-Disposition: inline
User-Agent: Mutt/1.2i
In-Reply-To: <BIEHKEFNHFMMJEKCDMLNCEBBCGAA.oldfart@gtonet.net>; from oldfart@gtonet.net on Thu, Mar 08, 2001 at 08:08:45AM -0800
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


--jRHKVT23PllUwdXP
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Thu, Mar 08, 2001 at 08:08:45AM -0800, oldfart@gtonet wrote:
> Fair enough, I've blocked ports 111, 1011 + 1022, which seem to be
> portmapper(sunrpc) and rpc.stat according to /etc/services and sockstat
> respectively, at my firewall. If this *is* indeed an attempted exploit I
> *should* be dropping the packets and logging where it came from if it's n=
ot
> spoofed. If I *do* end up with more of those errors then that should prove
> it's *not* an exploit attempt, right?

Blocking port 111 is a good idea, but blocking 1011 and 1022 is
pointless.  RPC services bind to an arbitrary port and then register it
with the portmapper.  There is no way to be sure that a given RPC
service will end up on the same port next time you boot.  It's quite
trivial to probe for RPC services without portmapper's help.  By
blocking portmapper, you will probably avoid the more stupid exploits,
but you may still see errors due to scans after reboot.

-- Brooks

--=20
Any statement of the form "X is the one, true Y" is FALSE.
PGP fingerprint 655D 519C 26A7 82E7 2529  9BF0 5D8E 8BE9 F238 1AD4

--jRHKVT23PllUwdXP
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE6p8p6XY6L6fI4GtQRAllcAJ4hhLZeCJDSLI2NP3a1fAgZY9diZgCcCOJP
nofuRVpFDFINSg6jLMKuIjg=
=KbxK
-----END PGP SIGNATURE-----

--jRHKVT23PllUwdXP--

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message