Re: [Q] what do these portmap log entries mean?
Nate Amsden <aphro@aphroland.org> writes:
> Olaf Meeuwissen wrote:
> > Aug 24 12:38:01 bilbo portmap[27641]: connect from 172.16.x.y to callit(390109): request from unauthorized host
> > Aug 24 12:38:04 bilbo portmap[27641]: connect from 172.16.x.y to callit(390109): request from unauthorized host
>
> looks suspicious..
>
>
> > Aug 24 12:43:34 bilbo portmap[27659]: connect from 172.16.a.b to getport(300598): request from unauthorized host
> >
> > I've implemented a default deny-all policy in /etc/hosts.deny with
> >
> > ALL : ALL
>
> are you running portmap from inetd ? or anything that uses tcp_wrappers?
> every configuration i've seen this is not the case, so hosts.deny
> hosts.allow don't do anything in terms of protecting portmapper.
No, but `man portmap` says it "is protected by the tcp_wrapper
library", so hosts.deny should have effect. From another system I
know I had to set "portmap : some_host" to get NFS mounts to work.
> > My /etc/hosts.allow effectively reads
> >
> > nmbd smbd : 172.16.
> ok..also is nmbd and smbd launched from inetd ? usually they are
> launched as daemons if this is the case hosts.allow would have no impact
> on them.
Not anymore (see my post "Samba via inetd, not a good idea?"). These
setting are now in smb.conf and I run both as daemons.
> > >From the log messages I assume that the portmap connect attempts fail
> > (as per policy), but what do these connect attempts mean? Is someone
> > trying to crack my server or something? I did challenge our network
> > admin ...
>
> it is possible, when portmapper or any rpc services are concerned i am
> paranoid about them(got cracked by them once 2 years ago), i always
> completely turn them off(yes that means not being able to have quotas)
> OR at least firewall them completely so nobody on the outside can access
> them. If you are concerned about people breaking into your system I
> highly reccomend installing nmap and port scanning yourself, portmapper
> and rpc services don't have a pretty security history on linux.
My latest port scan (nmap running through all -s options) results show
9 open tcp discard
13 open tcp daytime
25 open tcp smtp
37 open tcp time
111 open tcp sunrpc
139 open tcp netbios-ssn
9 open udp discard
111 open udp sunrpc
137 open udp netbios-ns
138 open udp netbios-dgm
And I'm behind a firewall, though my machine is not firewalled itself,
not yet at least.
--
Olaf Meeuwissen Epson Kowa Corporation, Research and Development
Reply to: