From owner-freebsd-security Thu Mar 8 10:28:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from mls.gtonet.net (mls.gtonet.net [216.112.90.195]) by hub.freebsd.org (Postfix) with ESMTP id 9D71737B719 for ; Thu, 8 Mar 2001 10:28:08 -0800 (PST) (envelope-from oldfart@gtonet.net) Received: from pld (pld.gtonet.net [216.112.90.200]) by mls.gtonet.net (8.11.3/8.11.3) with SMTP id f28IS8m44588 for ; Thu, 8 Mar 2001 10:28:09 -0800 (PST) (envelope-from oldfart@gtonet.net) Reply-To: From: "oldfart@gtonet" To: Subject: RE: strange messages Date: Thu, 8 Mar 2001 10:28:07 -0800 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) In-Reply-To: <20010308100755.A13090@Odin.AC.HMC.Edu> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Brooks Davis > Sent: Thursday, March 08, 2001 10:08 AM > To: oldfart@gtonet > Cc: security@FreeBSD.ORG > Subject: Re: strange messages > > > On Thu, Mar 08, 2001 at 08:08:45AM -0800, oldfart@gtonet wrote: > > Fair enough, I've blocked ports 111, 1011 + 1022, which seem to be > > portmapper(sunrpc) and rpc.stat according to /etc/services and sockstat > > respectively, at my firewall. If this *is* indeed an attempted exploit I > > *should* be dropping the packets and logging where it came from > if it's not > > spoofed. If I *do* end up with more of those errors then that > should prove > > it's *not* an exploit attempt, right? > > Blocking port 111 is a good idea, but blocking 1011 and 1022 is > pointless. RPC services bind to an arbitrary port and then register it > with the portmapper. There is no way to be sure that a given RPC > service will end up on the same port next time you boot. It's quite > trivial to probe for RPC services without portmapper's help. By > blocking portmapper, you will probably avoid the more stupid exploits, > but you may still see errors due to scans after reboot. > > -- Brooks > Yeah, luckily, I run FreeBSD so I don't have to reboot much and most exploits are for Linux. }:-)> It's not bad(TM) to block all ports that you don't need open, anyway, and since I only NFS to my local LAN blocking it sounded right. I mainly wanted to see if that would stop the error messages in question. A more permanent solution can be implemented at a later date. Can those RPC services be FORCED to run on a certain port or is that just superfluous because portmapper is blocked? It would make filtering/logging/reporting/busting easier. Thanks, OF > -- > Any statement of the form "X is the one, true Y" is FALSE. > PGP fingerprint 655D 519C 26A7 82E7 2529 9BF0 5D8E 8BE9 F238 1AD4 > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message