Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 16 Feb 2001 17:12:03 +0200
From:      Peter Pentchev <roam@orbitel.bg>
To:        Cliff Sarginson <cliff@raggedclown.net>
Cc:        Artem Koutchine <matrix@ipform.ru>, questions@FreeBSD.ORG, security@FreeBSD.ORG
Subject:   Re: Efficiency [Was: Re: rpc.statd attack]
Message-ID:  <20010216171203.G474@ringworld.oblivion.bg>
In-Reply-To: <E14TmQC-0006Ip-00@post.mail.nl.demon.net>; from cliff@raggedclown.net on Fri, Feb 16, 2001 at 03:03:44PM %2B0000
References:  <E14TmQC-0006Ip-00@post.mail.nl.demon.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Fri, Feb 16, 2001 at 03:03:44PM +0000, Cliff Sarginson wrote:
> > On Fri, Feb 16, 2001 at 04:24:07PM +0200, Peter Pentchev wrote:
> > > On Fri, Feb 16, 2001 at 05:16:47PM +0300, Artem Koutchine wrote:
> > > > Hi!
> > > > 
> > > > I am regulary getting this:
> > > > 
> > > [snip (unsuccessful, useless against fbsd) attack log]
> > > > 
> > > > What port should i close or log to detect the connection? I am sure
> > > > this is a script
> > > > kiddie, so no IP spoffing or anything tricky is envolved. I'd like log
> > > > it with ipfw and
> > > > kick that junkie butt. So, what port is it or as always with RPC it is
> > > > a tricky business?
> > > 
> > > If you consider rpcinfo -p | egrep -e 'udp.*status$' | awk '{print $4}'
> > > to be a tricky business, then yes, it is a tricky business ;)
> > 
> > Well, as people pointed out, I'm not awake yet :)
> > 
> > rpcinfo -p | awk '($3 == "udp") && ($5 == "status") {print $4 }'
> > 
> > ...works just as well, or even better, with less false alarms and more
> > efficiency :)
> >
> As you can see makes all the difference :)
> But this is under Solaris ...
>  
> $ time rpcinfo -p | egrep -e 'udp.*status$' | awk '{print $4}'                         
> 32790
> 
> real    0m0.12s
> user    0m0.04s
> sys     0m0.07s
>   
> $ time rpcinfo -p | awk '($3 == "udp") && ($5 == "status") {print $4 }'
> 32790
> 
> real    0m0.11s
> user    0m0.05s
> sys     0m0.04s

Well, I still think it might be more efficient, at least in terms of
memory usage and forking.  But even without the efficiency argument,
it *is* cleaner :)

G'luck,
Peter

-- 
.siht ekil ti gnidaer eb d'uoy ,werbeH ni erew ecnetnes siht fI


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010216171203.G474>