Hi all, Recently I been seeing some strange network behaviour. NFS directories not been mounted requiring restart of NFS on the server. yppasswd not being able to change users passwords. The Autentication Server for the newtwork is Redhat-6.1 with all the latest updates from the redhat site. kernel-2.2.12-20 portmap-4.0-17 ypserv-1.3.9-1 yp-tools-2.3-2 ypbind-3.3-24 The File Server is Redhat-6.0 again with all the latest updates from redhat. The only thing I changed from a stock Redhat install was NFS, which is supicious. knfsd performance with 6.0 is just not acceptable for a production system so I downgraded to userland NFS from the 5.2 updates. It seemed to work fine for several weeks. kernel-2.2.5-22 portmap-4.0-15 ypserv-1.3.6.91-1 yp-tools-2.2-1 ypbind-3.3-20 nfs-server-2.2beta44-1 nfs-server-clients-2.2beta44-1 When I checked the process table with ps I see several portmap daemons running. I've never seen this before. But obviously it could cause problems with any RPC based servers such as NFS/NIS. The initial portmap, PID 284, is there but there are lots of copies and they are continually being replaced by others with new PID's. USER PID %C %M VSZ RSS TTY STAT START TIME COMMAND bin 284 0.0 0.0 1212 388 ? S Nov21 0:35 portmap bin 24048 0.0 0.0 1232 436 ? S 15:18 0:00 portmap bin 24104 0.0 0.0 1232 432 ? S 15:18 0:00 portmap bin 24105 0.0 0.0 1232 432 ? S 15:18 0:00 portmap In the messages log on the Authentication Server there are lots of messages like the following. Names/IP have been changed. Nov 22 13:57:29 auth-server portmap[15683]: connect \ from 199.101.9.109 to callit(ypserv): request from unauthorized host Nov 22 14:22:32 auth-server portmap[18041]: connect \ from 199.101.9.102 to callit(390109): request from unauthorized host Nov 22 14:22:35 auth-server portmap[18045]: connect \ from 199.101.9.102 to callit(390109): request from unauthorized host Nov 22 14:46:15 auth-server portmap[21449]: connect from \ 199.101.9.35 to callit(mountd): request from unauthorized host You can see the portmap PID increasing in the messages. portmap etc. are protected by the following in the hosts.allow file # allow access to portmap to adresses in range 199.101.24.0 to 25.255 portmap: 199.101.24.0/255.255.254.0 # allow access to ypserv ypserv: 127.0.0.1 ypserv: 199.101.24.0/255.255.254.0 # allow access to mountd rpc.mountd: 199.101.24.0/255.255.254.0 Anybody got any idea of what could be happening here. Regards, Tony. --------------------------------------------------------------------- Tony Molloy. e-mail: [EMAIL PROTECTED] Systems Manager. Dept. of CSIS. Phone: +353-61-202778 (DL) Univ. of Limerick. +353-61-333644 ext. 2778 Ireland. Fax: +353-61-330876 --------------------------------------------------------------------- -- To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe" as the Subject.
