Re: What's this?

Tony Nugent Wed, 29 Nov 2000 17:06:38 -0800
On Thu Nov 30 2000 at 01:09, Svante Signell wrote:

> Is this an attack? Successful?
> Version: portmap-4.0-28
> 
> Nov 30 00:47:05 em2 portmap[16190]: connect from 202.8.227.42 to dump(): request 
>from unauthorized host

Don't panic.  Probably (highly likely) a tcp_wrappers thing.
Someone obviously wanted to do something like this to see what rpc
services you are running:

        rpcinfo -p em2

So yes, it is an "attack" or probe on port 111 if you are not
allowing that host/network to access it.

Otherwise it is a mis-configuration if that IP is one of your own
or one that you want to allow.

Check that you have something like this in /etc/hosts.allow ...

portmap: 127.0.0.1 \
        192.168.1.0/255.255.255.0 \
        202.8.227.0/255.255.255.0

and then in /etc/hosts.deny ...

portmap: ALL

or something similar.  I sometimes use /etc/hosts.deny to send me
mail notifications with some denies, or have it logged into a file
somewhere.  See below for an example of this.

Note that tcp_wrappers does NOT work with portmap when host/domain
names are used -- raw IP addresses MUST be used with it.

(Wrapping portmap effectively wraps - SHOULD wrap - access to all
RPC-based daemons, such as nfs, yp and so on).

BTW, with mounted, NFS access will not be mounted unless it can
resolve the client IP address to a valid hostname via DNS or
/etc/hosts.

        (This is the way things _used_ to work, and I assume that it
        is still like this with rh7 as well.  If not, I'd like to be
        corrected... :)

Cheers
Tony
 -=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-
  Tony Nugent <[EMAIL PROTECTED]>    Systems Administrator, RHCE
  GrowZone OnLine   -   regional internet services for Southern Qld
  POBox 475 Toowoomba Oueensland Australia 4350    Ph: 07 4637 8322
 -=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-

# /etc/hosts.deny
# example only
# This will, by default, generate an email for every refused request.
# BEWARE the danger in this.... it _could_ become a "DoS" problem if
# many denials are being issued, and it can mercilessly choke your
# mailbox.
# Note that xinetd can be optionally configured to use tcp_wrappers
# "globally" or per-daemon, and also has its own (very
# comprehensive) access control mechanisms.
#
# /etc/hosts.deny
ALL: ALL : \
        spawn ( \
/bin/echo -e "\n\
TCP Wrappers\:  Connection Refused\n\
By\:            $(uname -n)\n\
Process\:       %d (pid %p)\n\
User\:          %u\n\
Host\:          %c\n\
Date\:          $(date)\n\
"| /bin/mail -s "Wrappers@$(uname -n)\: %d refused for %c" root ) &



_______________________________________________
Redhat-devel-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-devel-list
Re: What's this?

Reply via email to
