On Sun, 29 Oct 2000, Brian wrote:
> On Sun, 29 Oct 2000, Mikkel L. Ellertson wrote:
>
> > On Sun, 29 Oct 2000, Brian wrote:
> >
> > >
> > > When someone attempts the rpc.statd exploit to a Redhat 6.2 box, are their
> > > no places their IP address gets logged? I see the attempts in
> > > /var/log/messages, but nothing in any other files aligning to an ip
> > > address.
> > >
> > > Brian
> > >
> > It depends on your firewall setup and your syslog.conf settings. With the
> > stock syslog.conf and port 111 being blocked by IP chains, then that
> > /var/log/messages is the only place. Nothing else will show it because
> > nothing but the firewall "sees" it. Not even portsentry will see it
> > because the firewall blocks it before any connection is made.
>
> but what if you don't have it ipchained...........I see the rpc.statd
> request in messages, but still no ip logged.
If you haven't patched rh6.2 per the information in the link below, you
might be in trouble:
http://www.securityfocus.com/vdb/bottom.html?vid=1480
If your box has been patched, however, you might just try adding some
ipchains rules as was mentioned before like so:
ipchains -A input -p tcp -s ! your.trusted.net.work -d \
your.trusted.net.work 1024 -j REJECT
This may not be the only rule you need. Check the output of netstat for
ports used by rpc.statd:
netstat -anp --inet | grep rpc.statd | tr -s [:space:]
which probably gives you:
tcp 0 0 0.0.0.0:1024 0.0.0.0:* LISTEN 441/rpc.statd
udp 0 0 0.0.0.0:1027 0.0.0.0:* 441/rpc.statd
udp 0 0 0.0.0.0:617 0.0.0.0:* 441/rpc.statd
This would tell you that you might want additional rules to block the 2
udp ports above.
A couple more things you might want to add to the ipchains rules would be
to indicate that you only want SYN connects to those ports blocked.
Otherwise you firewall will drop some harmless traffic coming from your
network/host. Additionally, you may want to log the "bad" traffic to
syslog. So here could be the rules:
ipchains -A input -p tcp -l -y -s ! your.trusted.net.work -d \
your.trusted.net.work 1024 -j REJECT
ipchains -A input -p udp -l -s ! your.trusted.net.work -d \
your.trusted.net.work 1027 -j REJECT
ipchains -A input -p tcp -l -s ! your.trusted.net.work -d \
your.trusted.net.work 617 -j REJECT
Another method you might try would be to read up on tcp wrappers and using
a line in /etc/hosts.deny to send you an email when something occurs. As
you may have seen in the past day or so on the list, check out the man
page for host_options.
These will only get you started really. Probably the best solutions would
involve some intrusion detection system, maybe snort, and/or some log
watching utilities like swatch to notify you about attempts. There are
tons of sites on security out there. Maybe start at securityfocus.com and
linuxsecurity.com. That's a bit of information, but I hope you find it
helpful.
--
Tony Inskeep
Pfeiffer University
704.463.1360 x2172
------------------
Ashamed of what is not a matter for shame, and not ashamed of what is,
by holding to wrong views people go to a bad rebirth. 316
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
