Re: port 16001 and 111
On Sat, 2002-10-26 at 22:19, Jussi Ekholm wrote:
> Olaf Dietsche <olaf.dietsche#list.debian-security@t-online.de> wrote:
> > Jussi Ekholm <ekhowl@goa-head.org> writes:
> >> rpcinfo: can't contact portmapper: RPC: Remote system error \
> >> - Connection refused
> > This means portmap isn't running. Connection refused means nothing
> > listens on port 111. So, whatever is trying to contact port 111,
> > there's no reason to be concerned.
>
> That's good to hear, thanks.
One way to find out what is trying to connect to the portmapper is to
leave portmap running and don't firewall it for request coming from
localhost. Then use rpcinfo -p to see what programs do register
themselves to the portmapper. When only portmapper has registered then
you'll get something like:
bartjan@trillian:~$ rpcinfo -p
program vers proto port
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
But when you have a nis/nfs system then you'll see a lot more:
bartjan@trillian:~$ rpcinfo -p spiderwebs
program vers proto port
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100024 1 udp 743 status
100024 1 tcp 753 status
100003 2 udp 2049 nfs
100003 3 udp 2049 nfs
100021 1 udp 59043 nlockmgr
100021 3 udp 59043 nlockmgr
100021 4 udp 59043 nlockmgr
100005 1 udp 834 mountd
100005 1 tcp 850 mountd
100005 2 udp 834 mountd
100005 2 tcp 850 mountd
100005 3 udp 834 mountd
100005 3 tcp 850 mountd
100011 1 udp 870 rquotad
100011 2 udp 870 rquotad
100011 1 tcp 873 rquotad
100011 2 tcp 873 rquotad
100004 2 udp 948 ypserv
600100069 1 udp 953
100004 1 udp 948 ypserv
100009 1 udp 950 yppasswdd
600100069 1 tcp 955
100004 2 tcp 952 ypserv
100004 1 tcp 952 ypserv
100007 2 udp 962 ypbind
100007 1 udp 962 ypbind
100007 2 tcp 965 ypbind
100007 1 tcp 965 ypbind
545580417 1 udp 1012 ugidd
If you have some of the above processes running on your system, or other
processes with names starting with rpc. then they are likely responsible
for your port 111 connection attempts.
Proper debian packages that use rpc should depend on the portmapper
package, so you could try to 'apt-get -s remove portmap' and see what
packages turn up.
> > This could be valid requests from programs trying to contact NIS
> > before DNS, however. Look at /etc/nsswitch.conf, wether NIS is
> > mentioned.
>
> Yes, NIS is mentioned:
>
> $ grep -i nis /etc/nsswitch.conf
> netgroup: nis
netgroup is only useful when you have/use nis, on other systems this
line is ignored. Netgroup is a nice way to group a number of hosts
and/or users together. You can then use it for example to export a
certain NFS filesystem to the netgroup @workstations. Just leave that
line as it is now.
--
Tot ziens,
Bart-Jan Vrielink
Reply to: