[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [Q] what do these portmap log entries mean?



Olaf Meeuwissen wrote:
>   Aug 24 12:38:01 bilbo portmap[27641]: connect from 172.16.x.y to callit(390109): request from unauthorized host
>   Aug 24 12:38:04 bilbo portmap[27641]: connect from 172.16.x.y to callit(390109): request from unauthorized host

looks suspicious..


>   Aug 24 12:43:34 bilbo portmap[27659]: connect from 172.16.a.b to getport(300598): request from unauthorized host
> 
> I've implemented a default deny-all policy in /etc/hosts.deny with
> 
>   ALL : ALL

are you running portmap from inetd ? or anything that uses tcp_wrappers?
every configuration i've seen this is not the case, so hosts.deny
hosts.allow don't do anything in terms of protecting portmapper.

> 
> My /etc/hosts.allow effectively reads
> 
>   nmbd smbd : 172.16.
ok..also is nmbd and smbd launched from inetd ? usually they are
launched as daemons if this is the case hosts.allow would have no impact
on them.


> >From the log messages I assume that the portmap connect attempts fail
> (as per policy), but what do these connect attempts mean?  Is someone
> trying to crack my server or something?  I did challenge our network
> admin ...

it is possible, when portmapper or any rpc services are concerned i am
paranoid about them(got cracked by them once 2 years ago), i always
completely turn them off(yes that means not being able to have quotas)
OR at least firewall them completely so nobody on the outside can access
them. If you are concerned about people breaking into your system I
highly reccomend installing nmap and port scanning yourself, portmapper
and rpc services don't have a pretty security history on linux. 

nate

-- 
:::
ICQ: 75132336
http://www.aphroland.org/
http://www.linuxpowered.net/
aphro@aphroland.org



Reply to: