On Thu Nov 30 2000 at 01:09, Svante Signell wrote:
> Is this an attack? Successful?
> Version: portmap-4.0-28
>
> Nov 30 00:47:05 em2 portmap[16190]: connect from 202.8.227.42 to dump(): request
>from unauthorized host
Don't panic. Probably (highly likely) a tcp_wrappers thing.
Someone obviously wanted to do something like this to see what rpc
services you are running:
rpcinfo -p em2
So yes, it is an "attack" or probe on port 111 if you are not
allowing that host/network to access it.
Otherwise it is a mis-configuration if that IP is one of your own
or one that you want to allow.
Check that you have something like this in /etc/hosts.allow ...
portmap: 127.0.0.1 \
192.168.1.0/255.255.255.0 \
202.8.227.0/255.255.255.0
and then in /etc/hosts.deny ...
portmap: ALL
or something similar. I sometimes use /etc/hosts.deny to send me
mail notifications with some denies, or have it logged into a file
somewhere. See below for an example of this.
Note that tcp_wrappers does NOT work with portmap when host/domain
names are used -- raw IP addresses MUST be used with it.
(Wrapping portmap effectively wraps - SHOULD wrap - access to all
RPC-based daemons, such as nfs, yp and so on).
BTW, with mounted, NFS access will not be mounted unless it can
resolve the client IP address to a valid hostname via DNS or
/etc/hosts.
(This is the way things _used_ to work, and I assume that it
is still like this with rh7 as well. If not, I'd like to be
corrected... :)
Cheers
Tony
-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-
Tony Nugent <[EMAIL PROTECTED]> Systems Administrator, RHCE
GrowZone OnLine - regional internet services for Southern Qld
POBox 475 Toowoomba Oueensland Australia 4350 Ph: 07 4637 8322
-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-
# /etc/hosts.deny
# example only
# This will, by default, generate an email for every refused request.
# BEWARE the danger in this.... it _could_ become a "DoS" problem if
# many denials are being issued, and it can mercilessly choke your
# mailbox.
# Note that xinetd can be optionally configured to use tcp_wrappers
# "globally" or per-daemon, and also has its own (very
# comprehensive) access control mechanisms.
#
# /etc/hosts.deny
ALL: ALL : \
spawn ( \
/bin/echo -e "\n\
TCP Wrappers\: Connection Refused\n\
By\: $(uname -n)\n\
Process\: %d (pid %p)\n\
User\: %u\n\
Host\: %c\n\
Date\: $(date)\n\
"| /bin/mail -s "Wrappers@$(uname -n)\: %d refused for %c" root ) &
_______________________________________________
Redhat-devel-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-devel-list