[lug] Interesting Crash Report

D. Stimits stimits at idcomm.com
Wed Mar 21 12:23:06 MST 2001 

Nate Duehr wrote:
> 
> Do you need them?  If not remove the "r"service daemons.
> 
> If you don't, the general rule of Unix security is to remove any running
> daemons that are not in use.
> 
> Portmap is used by NFS - if you're using NFS (which has its own security
> problems...) then you'll need to keep the portmapper.
> 
> You certainly can do a "stop" on them and see if anything you need
> broke.  If so, you'll have to live with the firewall protection, but if
> you're really not using things, just remove them/disable them.
> 
> Nate

Additional note on this. Some services are run from init as per rc
scripts. I don't know if chkconfig is a RH only thing, not sure (I hope
not, it is nice), run this:
chkconfig --list

Look for rpc and portmap entries. You can then use it to turn off these
services at all runlevels, without actually removing the packages, e.g.:
chkconfig --levels 0123456 portmap off

Now if someone uses a UDP packet that does not require a round-trip
connection, and spoofs it to your internal address, you might still be
vulnerable to UDP attacks, depending on your firewall rules. One thing
to consider is that since you know your machine won't be contacting
others to run their NFS over that interface, you could also block all
outgoing packets to rpc ports...and definitely turn on logging there,
it's a good sign someone got in the machine if yours suddenly tries to
open someone else's rpc ports (or at least a sign to be suspicious).

> 
> Glenn Murray wrote:
> >
> > Nothing like a good security discussion to bring on that
> > early morning paranoia:  when I run "lsof -i" I get
> >
> > COMMAND   PID  USER   FD   TYPE DEVICE SIZE NODE NAME
> > portmap   109  root    3u  IPv4     58       UDP *:sunrpc
> > portmap   109  root    4u  IPv4     59       TCP *:sunrpc (LISTEN)
> > rpc.statd 180  root    0u  IPv4    103       UDP *:781
> > rpc.statd 180  root    1u  IPv4    106       TCP *:783 (LISTEN)
> >
> > but my ipchains rules do not accept input packets on ports 111, 781 or 783.
> >
> > 1. Am I safe from attacks on those ports?  (If not, then I've really
> > missed the point about ipchains!)
> >
> > 2. I know of no reason for another computer to call sunrpc or any
> > other kind of rpc on my box---is there any harm in turning these
> > daemons off in /etc/rc* ?  (I would think there would be no harm,
> > but paranoia makes me ask.)
> >
> > Thanks,
> > Glenn Murray
> > www.mines.edu/~glenn/public_html/Welcome.html
> >
> > On Tue, 20 Mar 2001, Scott A. Herod wrote:
> >
> > > Also, as root, check the result of "lsof -i".  Suspicious
> > > things are sshd's running on numerical ports, esp. anything higher
> > > than 1024.
> >
> > _______________________________________________
> > Web Page:  http://lug.boulder.co.us
> > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug

More information about the LUG mailing list