[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: rpc.statd



On Mon, Apr 09, 2001 at 12:23:06AM +0200, andrea@debian.org wrote:
> On Mon, Apr 09, 2001 at 12:18:50AM +0200, Sander Smeenk (CistroN Medewerker) wrote:
> > > 
> > > > I saw this in my logs today.
> > > > 
> > > > Apr  8 15:08:43 mikado rpc.statd[179]: gethostbyname error for
> > > > It looks like statd is still running. Is rpc still vulnerable? 
> > > > Is there a way to track down who connected to rpc.statd?
> 
> 
> Maybe if the rcp.statd is not dedicated to the whole internet you
> can use ipchains/iptables to filter the access and logging the
> attempt of connection (with the -l flag).

easier said then done, statd allocates a random (usually privileged)
port and registers it with the portmapper.  blocking it with ipchains
is a pain.  about the only way you can do it is to use a script that
parses the output of rpcinfo -p localhost to find statd's current port
and make a rule for it.  that of course breaks as soon as nfs-common
gets restarted.

either that or block all privileged ports, which is usually not hard
to do.  some rpc services register on non-privileged ports and they
are much harder to block unless you don't mind breaking all kinds of
stuff.

-- 
Ethan Benson
http://www.alaska.net/~erbenson/

Attachment: pgpJNRISsQKrJ.pgp
Description: PGP signature


Reply to: