From owner-freebsd-security Fri Feb 16 7: 3:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from post.mail.nl.demon.net (post-10.mail.nl.demon.net [194.159.73.20]) by hub.freebsd.org (Postfix) with ESMTP id D667137B401; Fri, 16 Feb 2001 07:03:46 -0800 (PST) Received: from [195.11.243.26] (helo=Debug) by post.mail.nl.demon.net with smtp (Exim 3.14 #2) id 14TmQC-0006Ip-00; Fri, 16 Feb 2001 15:03:44 +0000 To: Peter Pentchev , Artem Koutchine , questions@FreeBSD.ORG, security@FreeBSD.ORG From: Cliff Sarginson Subject: Efficiency [Was: Re: rpc.statd attack] Date: Fri, 16 Feb 2001 15:03:44 GMT X-Mailer: www.webmail.nl.demon.net X-Sender: postmaster@btvs.demon.nl X-Originating-IP: 192.250.25.251 Message-Id: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > On Fri, Feb 16, 2001 at 04:24:07PM +0200, Peter Pentchev wrote: > > On Fri, Feb 16, 2001 at 05:16:47PM +0300, Artem Koutchine wrote: > > > Hi! > > > > > > I am regulary getting this: > > > > > [snip (unsuccessful, useless against fbsd) attack log] > > > > > > What port should i close or log to detect the connection? I am sure > > > this is a script > > > kiddie, so no IP spoffing or anything tricky is envolved. I'd like log > > > it with ipfw and > > > kick that junkie butt. So, what port is it or as always with RPC it is > > > a tricky business? > > > > If you consider rpcinfo -p | egrep -e 'udp.*status$' | awk '{print $4}' > > to be a tricky business, then yes, it is a tricky business ;) > > Well, as people pointed out, I'm not awake yet :) > > rpcinfo -p | awk '($3 == "udp") && ($5 == "status") {print $4 }' > > ...works just as well, or even better, with less false alarms and more > efficiency :) > As you can see makes all the difference :) But this is under Solaris ... $ time rpcinfo -p | egrep -e 'udp.*status$' | awk '{print $4}' 32790 real 0m0.12s user 0m0.04s sys 0m0.07s $ time rpcinfo -p | awk '($3 == "udp") && ($5 == "status") {print $4 }' 32790 real 0m0.11s user 0m0.05s sys 0m0.04s Cliff To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message