Re: Suspicious behavior: cracked or just a dying machine?
On 15 Aug 2001 10:22:35 -0700, Craig Dickson wrote:
> Michael Heldebrant wrote:
>
> > Protect your portmapper with /etc/hosts.deny and /etc/hosts.allow and
> > you won't get these buffer overflow attacks squatting in your syslogs
> > anymore. I only allow 127.0.0.1 and my internal networks to touch the
> > portmapper. Everyone else no access, stopped me from getting those
> > attacks.
>
> My solution was simply to uninstall portmap. I couldn't figure out what
> I could possibly need it for. I haven't observed any problems resulting
> from this.
>
> My standard theory is that if I see that my machine is listening on a
> port, I figure out why, and if I can't figure out why I should want it
> to do that, I get rid of the service or disable its listening feature.
> If I only want it for my own use, I block that port at my firewall _and_
> configure the service to accept only in-house IPs (_not_ including the
> firewall) or 127.0.0.1 as appropriate.
>
I use nfs on my internal network and wanted to block outside access so
portmap worked great for me once I protected it. Your way is just as
valid if you don't need it.
--mike
Reply to: