Re: rpc.statd vulnerability exploit attempts

Sun, 10 Sep 2000 08:22:58 -0700 

On Sun, 10 Sep 2000, Jasper Jans wrote:

> Setup ipchains to log all connection attempts to nfs
> that are not comming from your domain - and deny them.
> That should give you what you need.

Be proactive and multilayered in your defense:

Set up ipchains to block *all* traffic and then explicitly permit just
what you want to permit.

Set up portsentry to watch ports for services that are regularly
attacked. This will block the attacker completely as soon as they
try to probe your system for vulnerabilities, even if those services
aren't running at all.

Edit /etc/inetd.conf and turn off all services you aren't actually
using (are you actually using NFS?) - and remember to restart inetd so
that the changes take effect right away.

Uninstall the daemons you're not using (e.g. portmapper, nfs-utils,
yp*).

Evaluate the services you *are* providing, and recompile all of their
daemons using the StackGuard compiler (http://www.immunix.org/). This
won't guard against format-string attacks, but it will harden you
against most buffer-overflow attacks.

I see and block scans for 111/tcp (RPC - NFS et. al.), 53 (DNS), 8080
(Wingate), 98 (Linuxconf) and various Windows backdoors every day.

> On Sat, 9 Sep 2000, Dan Horth wrote:
> 
> > Can someone suggest a method for logging all nfs mount attempts from 
> > outside our network - and even blocking them as they happen... and 
> > any other ways I can tighten up our security to keep the kiddies out 
> > of our network?

--
 John Hardin KA7OHZ   ICQ#15735746   http://www.wolfenet.com/~jhardin/
 [EMAIL PROTECTED]      pgpk -a finger://gonzo.wolfenet.com/jhardin
  768: 0x41EA94F5 - A3 0C 5B C2 EF 0D 2C E5  E9 BF C8 33 A7 A9 CE 76 
 1024: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
  does quite what I want. I wish Christopher Robin was here."
                                -- Peter da Silva in a.s.r
-----------------------------------------------------------------------
   49 days until Daylight Savings Time ends



_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list

Reply via email to