Free Weekly Tech Newsletter

**mairving** · 11-06-2000, 07:49 AM

Every couple of days I look in my logs to see if anything is going on that I don't know about. Here is a message from my login log: One is portmap[1331]: connect from (IP) to dump()" request from authorized host.

Also I have a couple of ports open, ie FTP & Telnet that are not being used. How can I close these ports? Any info would be greatly appreciated.

Statica · 11-06-2000, 09:58 AM

Umm is it authorized or unauthorized host? If it is authorized then you have to look at who was authorized.

The log generated was refers to your portmap service [are you using NFS? If not portmap mightnt be useful and a vulnerability].

The dump msg is generated whenever a call to rpcinfo -p is made to it.

How is your firewalling? I'd suggest you start ignoring ICMP requests
/proc/sys/net/ipv4/icmp_echo_ignore_all

[also look below for further notes on rpcinfo..

Quite a few paths to disabling services, actually ..
some of them are ..

Commenting out the services you dont need in /etc/inetd.conf

Commenting out services from /etc/services

renaming the symlink to the service called from /etc/rc.d/rc#.d

Make sure that you have disabled rsh (exec), rlogin (login), rcp (shell) in your /etc/inetd.conf

Are you using wrappers? use well defined /etc/hosts.allow and use ALL:ALL in /etc/hosts.deny

I know .. std. operating procedures but it helps to go through them.

HTH

**mairving** · 11-06-2000, 04:07 PM

Mr. Static,
Thanks for the help. I have locked down most of this using the Bastille-Linux hardening tool. I will look into my making sure that all of the rules are good. I am not using NFS either.

Statica · 11-06-2000, 05:49 PM

Bastille does have its downsides .. i removed it cos its such a pain to make ANY config changes its ridiculous .. I trust^* my own brand of security made up of caution, vigilance and researching exploits, patches and

^*: trust = till i get hacked

**mairving** · 11-06-2000, 08:34 PM

The newer version is much better. The old version can only be run once. The newer version can be run as many times as wanted. It has a bit better interface. It is good for those that don't know as much as you.

11-06-2000, 07:49 AM	#1
mairving Staff Premium Member Join Date: Jul 1999 Location: Arlington, TN Posts: 5,538	Every couple of days I look in my logs to see if anything is going on that I don't know about. Here is a message from my login log: One is portmap[1331]: connect from (IP) to dump()" request from authorized host. Also I have a couple of ports open, ie FTP & Telnet that are not being used. How can I close these ports? Any info would be greatly appreciated. Share Share this post on Digg Del.icio.us Technorati Twitter

11-06-2000, 09:58 AM	#2
Statica Premium Member Join Date: Jun 1999 Posts: 9,231	Umm is it authorized or unauthorized host? If it is authorized then you have to look at who was authorized. The log generated was refers to your portmap service [are you using NFS? If not portmap mightnt be useful and a vulnerability]. The dump msg is generated whenever a call to rpcinfo -p is made to it. How is your firewalling? I'd suggest you start ignoring ICMP requests /proc/sys/net/ipv4/icmp_echo_ignore_all [also look below for further notes on rpcinfo.. Quite a few paths to disabling services, actually .. some of them are .. Commenting out the services you dont need in /etc/inetd.conf Commenting out services from /etc/services renaming the symlink to the service called from /etc/rc.d/rc#.d Make sure that you have disabled rsh (exec), rlogin (login), rcp (shell) in your /etc/inetd.conf Are you using wrappers? use well defined /etc/hosts.allow and use ALL:ALL in /etc/hosts.deny I know .. std. operating procedures but it helps to go through them. HTH Share Share this post on Digg Del.icio.us Technorati Twitter

11-06-2000, 04:07 PM	#3
mairving Staff Premium Member Join Date: Jul 1999 Location: Arlington, TN Posts: 5,538	Mr. Static, Thanks for the help. I have locked down most of this using the Bastille-Linux hardening tool. I will look into my making sure that all of the rules are good. I am not using NFS either. Share Share this post on Digg Del.icio.us Technorati Twitter

11-06-2000, 05:49 PM	#4
Statica Premium Member Join Date: Jun 1999 Posts: 9,231	Bastille does have its downsides .. i removed it cos its such a pain to make ANY config changes its ridiculous .. I trust^* my own brand of security made up of caution, vigilance and researching exploits, patches and ^*: trust = till i get hacked Share Share this post on Digg Del.icio.us Technorati Twitter

11-06-2000, 08:34 PM	#5
mairving Staff Premium Member Join Date: Jul 1999 Location: Arlington, TN Posts: 5,538	The newer version is much better. The old version can only be run once. The newer version can be run as many times as wanted. It has a bit better interface. It is good for those that don't know as much as you. Share Share this post on Digg Del.icio.us Technorati Twitter

Need Some Help? Type Your Keywords Here:

Still Need Help? Type Your Keywords Here:

Free Weekly Tech Newsletter

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes	Rate This Thread
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode	Rate This Thread:

Subscribe to THE INSIDER

Need Some Help? Type Your Keywords Here:

Still Need Help? Type Your Keywords Here:

Free Weekly Tech Newsletter