[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-security] [Raq3i] securely using rpc.statd and other rpc services
- Subject: [cobalt-security] [Raq3i] securely using rpc.statd and other rpc services
- From: Theodore Jones <theoj@xxxxxxxxxxxxx>
- Date: Sat, 04 Nov 2000 14:10:40 -0800
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Peter,
Thanks a million. The people on this list are awesome! I tried a :
[root@www admin]# /usr/sbin/rpcinfo -p
and got:
rpcinfo: can't contact portmapper: rpcinfo: RPC: Unable to receive; errno =
Connection reset by peer
so I assume that I'm ok on this front, and not vulnerable to any of these
rpc.statd attacks, correct?
Does rpc stand for "Remote Procedure Call" or something by the way?
Thanks again!,
~ Theo
Linking Internet - Peter Batenburg wrote:
> rpcinfo -p
> that would give a list of services running through rpc.. like mountd statd
> etc... if noting appears, your not running portmap/rpc stuff.. so you don't
> have to worry..
> -> rpcinfo: can't contact portmapper: RPC: Remote system error - Connection
> refused
> you can also check other hosts with rpcinfo -p <host>
> and if your running rpc, and have some services running, i would strongly
> suggest putting it behind a firewall.. there have allready been several
> exploits for rpc services like mountd, and statd.. wonder what they'll find
> next.. here's some rules for blocking portmapper, mountd, statd and nfsd:
>
> #!/usr/bin/perl
> system("/sbin/ipchains -A input -p tcp -s 0/0 -d 0/0 111 -j REJECT");
> system("/sbin/ipchains -A input -p udp -s 0/0 -d 0/0 111 -j REJECT");
> system("/sbin/ipchains -A input -p tcp -s 0/0 -d 0/0 635 -j REJECT");
> system("/sbin/ipchains -A input -p udp -s 0/0 -d 0/0 635 -j REJECT");
> system("/sbin/ipchains -A input -p tcp -s 0/0 -d 0/0 2049 -j REJECT");
> system("/sbin/ipchains -A input -p udp -s 0/0 -d 0/0 2049 -j REJECT");
> system("/sbin/ipchains -A input -p tcp -s 0/0 -d 0/0 32771 -j REJECT");
> system("/sbin/ipchains -A input -p udp -s 0/0 -d 0/0 32771 -j REJECT");
>
> accepting rules can be done like this:
>
> system("/sbin/ipchains -A input -p tcp -s <host> -d 0/0 111 -j ACCEPT");
> system("/sbin/ipchains -A input -p udp -s <host> -d 0/0 111 -j ACCEPT");
> system("/sbin/ipchains -A input -p tcp -s <host> -d 0/0 635 -j ACCEPT");
> system("/sbin/ipchains -A input -p udp -s <host> -d 0/0 635 -j ACCEPT");
> system("/sbin/ipchains -A input -p tcp -s <host> -d 0/0 2049 -j ACCEPT");
> system("/sbin/ipchains -A input -p udp -s <host> -d 0/0 2049 -j ACCEPT");
> system("/sbin/ipchains -A input -p tcp -s <host> -d 0/0 32771 -j ACCEPT");
> system("/sbin/ipchains -A input -p udp -s <host> -d 0/0 32771 -j ACCEPT");
>
> be sure you run there rules AFTER portmapper & all the services are
> started.. and accept rules before reject rules..
> i use this to only allow a backup system to mount drives.. as extra
> protection..
> by the way.. try this instead:
> [root@sunrise web]# whereis rpc.statd
> rpc: /sbin/rpc.lockd /sbin/rpc.statd /usr/sbin/rpc.mountd
> /usr/sbin/rpc.nfsd /usr/sbin/rpc.rquotad /etc/rpc /usr/include/rpc
>
> hope this helps
> At 16:44 3-11-00 -0800, you wrote:
>
> >I was told by the main nethead at my ISP that he's noticed an upswing in
> >rpcstatd exploits or backdoors. How can I check this one out and make
> >sure I'm ok on it?
> >
> >A simple "locate rpcstatd" doesn't bring up anything on my machine, so
> >perhaps it's not installed on the RaQ's?
> >
> >~ Theo
> >