From owner-freebsd-stable  Thu Oct 12 12:47:48 2000
Delivered-To: freebsd-stable@freebsd.org
Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82])
	by hub.freebsd.org (Postfix) with ESMTP id DBEA637B503
	for <freebsd-stable@freebsd.org>; Thu, 12 Oct 2000 12:47:43 -0700 (PDT)
Received: from 149.211.6.64.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net  with Microsoft SMTPSVC(5.5.1877.197.19);
	 Thu, 12 Oct 2000 12:46:25 -0700
Received: (from cjc@localhost)
	by 149.211.6.64.reflexcom.com (8.11.0/8.11.0) id e9CJlTA21891;
	Thu, 12 Oct 2000 12:47:29 -0700 (PDT)
	(envelope-from cjc)
Date: Thu, 12 Oct 2000 12:47:28 -0700
From: "Crist J . Clark" <cjclark@reflexnet.net>
To: Roman Shterenzon <roman@xpert.com>
Cc: freebsd-stable@freebsd.org
Subject: Re: rpc.statd
Message-ID: <20001012124728.B21767@149.211.6.64.reflexcom.com>
Reply-To: cjclark@alum.mit.edu
References: <20001012003222.N25121@149.211.6.64.reflexcom.com> <Pine.LNX.4.10.10010120959030.24589-100000@jamus.xpert.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 1.0i
In-Reply-To: <Pine.LNX.4.10.10010120959030.24589-100000@jamus.xpert.com>; from roman@xpert.com on Thu, Oct 12, 2000 at 10:02:41AM +0200
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Thu, Oct 12, 2000 at 10:02:41AM +0200, Roman Shterenzon wrote:
> On Thu, 12 Oct 2000, Crist J . Clark wrote:
> 
> > > ..oh ..that?s a strange hostname.
> > > 
> > > Which exploit is it that the attacker tries to use? I guess I?m not
> > > vulnerable cause I?m still around ;)
> > 
> > Most likely someone tried a Linux exploit on you,
> > 
> >   http://www.securityfocus.com/vdb/bottom.html?vid=1480
> > 
> > > Also, where can I find the ip of the attacker? Is it logged? 
> > 
> > Not 100% on this, but I think that is only logged if you used the '-d'
> > option. See rpc.statd(8).
> 
> Which makes me think...
> How one protects rpc services rather then having default-deny policy on
> outer interface? And if it's the only interface?
> Of course it's possible to filter port 111 (or use /etc/hosts.allow), but
> the attacker can contact the rpc.statd directly.
> Is it possible to force some rpc service to some port so it can be
> filtered?

You have just explained why default-deny and only explictly allowing
specific services is always the safest way.

That said, I don't have rpc.statd running anywhere right now, but
looking at a bunch of Solaris boxes with NFS exports, it seems to like
to move around a lot and I see no documented method on any system to
make it chose specific TCP and UDP ports.
-- 
Crist J. Clark                           cjclark@alum.mit.edu


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message