[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: port 16001 and 111

On Sat, 2002-10-26 at 22:19, Jussi Ekholm wrote:
> Olaf Dietsche <olaf.dietsche#list.debian-security@t-online.de> wrote:
> > Jussi Ekholm <ekhowl@goa-head.org> writes:

> >> 	rpcinfo: can't contact portmapper: RPC: Remote system error \
> >> 	  - Connection refused

> > This means portmap isn't running. Connection refused means nothing
> > listens on port 111. So, whatever is trying to contact port 111,
> > there's no reason to be concerned.
> 
> That's good to hear, thanks.

One way to find out what is trying to connect to the portmapper is to
leave portmap running and don't firewall it for request coming from
localhost. Then use rpcinfo -p to see what programs do register
themselves to the portmapper. When only portmapper has registered then
you'll get something like:
bartjan@trillian:~$ rpcinfo -p
   program vers proto   port
    100000    2   tcp    111  portmapper
    100000    2   udp    111  portmapper

But when you have a nis/nfs system then you'll see a lot more:
bartjan@trillian:~$ rpcinfo -p spiderwebs
   program vers proto   port
    100000    2   tcp    111  portmapper
    100000    2   udp    111  portmapper
    100024    1   udp    743  status
    100024    1   tcp    753  status
    100003    2   udp   2049  nfs
    100003    3   udp   2049  nfs
    100021    1   udp  59043  nlockmgr
    100021    3   udp  59043  nlockmgr
    100021    4   udp  59043  nlockmgr
    100005    1   udp    834  mountd
    100005    1   tcp    850  mountd
    100005    2   udp    834  mountd
    100005    2   tcp    850  mountd
    100005    3   udp    834  mountd
    100005    3   tcp    850  mountd
    100011    1   udp    870  rquotad
    100011    2   udp    870  rquotad
    100011    1   tcp    873  rquotad
    100011    2   tcp    873  rquotad
    100004    2   udp    948  ypserv
 600100069    1   udp    953
    100004    1   udp    948  ypserv
    100009    1   udp    950  yppasswdd
 600100069    1   tcp    955
    100004    2   tcp    952  ypserv
    100004    1   tcp    952  ypserv
    100007    2   udp    962  ypbind
    100007    1   udp    962  ypbind
    100007    2   tcp    965  ypbind
    100007    1   tcp    965  ypbind
 545580417    1   udp   1012  ugidd

If you have some of the above processes running on your system, or other
processes with names starting with rpc. then they are likely responsible
for your port 111 connection attempts.
Proper debian packages that use rpc should depend on the portmapper
package, so you could try to 'apt-get -s remove portmap' and see what
packages turn up.

> > This could be valid requests from programs trying to contact NIS
> > before DNS, however. Look at /etc/nsswitch.conf, wether NIS is
> > mentioned.
> 
> Yes, NIS is mentioned:
> 
> 	$ grep -i nis /etc/nsswitch.conf
> 	netgroup:       nis

netgroup is only useful when you have/use nis, on other systems this
line is ignored. Netgroup is a nice way to group a number of hosts
and/or users together. You can then use it for example to export a
certain NFS filesystem to the netgroup @workstations. Just leave that
line as it is now.

-- 
Tot ziens,
Bart-Jan Vrielink
Reply to: