Re: [Q] what do these portmap log entries mean?

To: Nate Amsden <aphro@aphroland.org>
Cc: debian-user@lists.debian.org
Subject: Re: [Q] what do these portmap log entries mean?
From: Olaf Meeuwissen <olaf@epkowa.co.jp>
Date: 24 Aug 2000 14:31:18 +0900
Message-id: <87r97f4449.fsf@epkowa.co.jp>
In-reply-to: Nate Amsden's message of "Wed, 23 Aug 2000 20:58:45 -0700"
References: <878ztn5neu.fsf@epkowa.co.jp> <39A49D75.73C414DC@aphroland.org>

Nate Amsden <aphro@aphroland.org> writes:

> Olaf Meeuwissen wrote:
> >   Aug 24 12:38:01 bilbo portmap[27641]: connect from 172.16.x.y to callit(390109): request from unauthorized host
> >   Aug 24 12:38:04 bilbo portmap[27641]: connect from 172.16.x.y to callit(390109): request from unauthorized host
> 
> looks suspicious..
> 
> 
> >   Aug 24 12:43:34 bilbo portmap[27659]: connect from 172.16.a.b to getport(300598): request from unauthorized host
> > 
> > I've implemented a default deny-all policy in /etc/hosts.deny with
> > 
> >   ALL : ALL
> 
> are you running portmap from inetd ? or anything that uses tcp_wrappers?
> every configuration i've seen this is not the case, so hosts.deny
> hosts.allow don't do anything in terms of protecting portmapper.

No, but `man portmap` says it "is protected by the tcp_wrapper
library", so hosts.deny should have effect.  From another system I
know I had to set "portmap : some_host" to get NFS mounts to work.

> > My /etc/hosts.allow effectively reads
> > 
> >   nmbd smbd : 172.16.
> ok..also is nmbd and smbd launched from inetd ? usually they are
> launched as daemons if this is the case hosts.allow would have no impact
> on them.

Not anymore (see my post "Samba via inetd, not a good idea?").  These
setting are now in smb.conf and I run both as daemons.

> > >From the log messages I assume that the portmap connect attempts fail
> > (as per policy), but what do these connect attempts mean?  Is someone
> > trying to crack my server or something?  I did challenge our network
> > admin ...
> 
> it is possible, when portmapper or any rpc services are concerned i am
> paranoid about them(got cracked by them once 2 years ago), i always
> completely turn them off(yes that means not being able to have quotas)
> OR at least firewall them completely so nobody on the outside can access
> them. If you are concerned about people breaking into your system I
> highly reccomend installing nmap and port scanning yourself, portmapper
> and rpc services don't have a pretty security history on linux. 

My latest port scan (nmap running through all -s options) results show

          9	open	tcp	discard
	 13	open	tcp	daytime
	 25	open	tcp	smtp
	 37	open	tcp	time
	111	open	tcp	sunrpc
	139	open	tcp	netbios-ssn
	  9	open	udp	discard
	111	open	udp	sunrpc
	137	open	udp	netbios-ns
	138	open	udp	netbios-dgm

And I'm behind a firewall, though my machine is not firewalled itself,
not yet at least.
--
Olaf Meeuwissen       Epson Kowa Corporation, Research and Development

Reply to:

Follow-Ups:
- Re: [Q] what do these portmap log entries mean?
  - From: Nate Amsden <aphro@aphroland.org>

References:
- [Q] what do these portmap log entries mean?
  - From: Olaf Meeuwissen <olaf@epkowa.co.jp>
- Re: [Q] what do these portmap log entries mean?
  - From: Nate Amsden <aphro@aphroland.org>

Prev by Date: Re: You are a Linux Guru!
Next by Date: Re: Mapping keys to console
Previous by thread: Re: [Q] what do these portmap log entries mean?
Next by thread: Re: [Q] what do these portmap log entries mean?
Index(es):
- Date
- Thread