[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-security] [Raq3i] securely using rpc.statd and other rpc services
- Subject: [cobalt-security] [Raq3i] securely using rpc.statd and other rpc services
- From: Linking Internet - Peter Batenburg <peter@xxxxxxxxxx>
- Date: Sat, 04 Nov 2000 21:01:35 +0100
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
rpcinfo -p
that would give a list of services running through rpc.. like mountd statd
etc... if noting appears, your not running portmap/rpc stuff.. so you don't
have to worry..
-> rpcinfo: can't contact portmapper: RPC: Remote system error - Connection
refused
you can also check other hosts with rpcinfo -p <host>
and if your running rpc, and have some services running, i would strongly
suggest putting it behind a firewall.. there have allready been several
exploits for rpc services like mountd, and statd.. wonder what they'll find
next.. here's some rules for blocking portmapper, mountd, statd and nfsd:
#!/usr/bin/perl
system("/sbin/ipchains -A input -p tcp -s 0/0 -d 0/0 111 -j REJECT");
system("/sbin/ipchains -A input -p udp -s 0/0 -d 0/0 111 -j REJECT");
system("/sbin/ipchains -A input -p tcp -s 0/0 -d 0/0 635 -j REJECT");
system("/sbin/ipchains -A input -p udp -s 0/0 -d 0/0 635 -j REJECT");
system("/sbin/ipchains -A input -p tcp -s 0/0 -d 0/0 2049 -j REJECT");
system("/sbin/ipchains -A input -p udp -s 0/0 -d 0/0 2049 -j REJECT");
system("/sbin/ipchains -A input -p tcp -s 0/0 -d 0/0 32771 -j REJECT");
system("/sbin/ipchains -A input -p udp -s 0/0 -d 0/0 32771 -j REJECT");
accepting rules can be done like this:
system("/sbin/ipchains -A input -p tcp -s <host> -d 0/0 111 -j ACCEPT");
system("/sbin/ipchains -A input -p udp -s <host> -d 0/0 111 -j ACCEPT");
system("/sbin/ipchains -A input -p tcp -s <host> -d 0/0 635 -j ACCEPT");
system("/sbin/ipchains -A input -p udp -s <host> -d 0/0 635 -j ACCEPT");
system("/sbin/ipchains -A input -p tcp -s <host> -d 0/0 2049 -j ACCEPT");
system("/sbin/ipchains -A input -p udp -s <host> -d 0/0 2049 -j ACCEPT");
system("/sbin/ipchains -A input -p tcp -s <host> -d 0/0 32771 -j ACCEPT");
system("/sbin/ipchains -A input -p udp -s <host> -d 0/0 32771 -j ACCEPT");
be sure you run there rules AFTER portmapper & all the services are
started.. and accept rules before reject rules..
i use this to only allow a backup system to mount drives.. as extra
protection..
by the way.. try this instead:
[root@sunrise web]# whereis rpc.statd
rpc: /sbin/rpc.lockd /sbin/rpc.statd /usr/sbin/rpc.mountd
/usr/sbin/rpc.nfsd /usr/sbin/rpc.rquotad /etc/rpc /usr/include/rpc
hope this helps
At 16:44 3-11-00 -0800, you wrote:
I was told by the main nethead at my ISP that he's noticed an upswing in
rpcstatd exploits or backdoors. How can I check this one out and make
sure I'm ok on it?
A simple "locate rpcstatd" doesn't bring up anything on my machine, so
perhaps it's not installed on the RaQ's?
~ Theo
_______________________________________________
cobalt-security mailing list
cobalt-security@xxxxxxxxxxxxxxx
http://list.cobalt.com/mailman/listinfo/cobalt-security