Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
| Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
03-21-2006, 01:54 AM
|
#1
|
|
LQ Newbie
Registered: Jul 2005
Posts: 22
Rep: 
|
I got a suspicious link, what is it?
I got a link from port 718 of a remote host, whose ip address is 84.56.245.11.
The link state is always "ESTABLISHED".
I tried to use iptables to disable it, but it did not work.
I used this command :
iptable -I INPUT -s 84.56.245.11 -d my-ip-address -p tcp --dport 111 -j REJECT
and command "iptable -t filter -L " gives this message:
REJECT tcp -- dslb-084-056-245-011.pools.arcor-ip.net my-ip-address tcp dpt:sunrpc reject-with icmp-port-unreachable
What is this link? How can I disable it, if it is dangerous?
Thank you very much!
|
|
|
|
|
03-21-2006, 01:55 AM
|
#2
|
|
LQ Newbie
Registered: Jul 2005
Posts: 22
Original Poster
Rep:
|
I got a suspicious link, what is it?
I got a link from port 718 of a remote host, whose ip address is 84.56.245.11, to my port 111 (sunrpc).
The link state is always "ESTABLISHED".
I tried to use iptables to disable it, but it did not work.
I used this command :
iptable -I INPUT -s 84.56.245.11 -d my-ip-address -p tcp --dport 111 -j REJECT
and command "iptable -t filter -L " gives this message:
REJECT tcp -- dslb-084-056-245-011.pools.arcor-ip.net my-ip-address tcp dpt:sunrpc reject-with icmp-port-unreachable
What is this link? How can I disable it, if it is dangerous?
Thank you very much!
Last edited by math_physics; 03-21-2006 at 01:58 AM.
|
|
|
|
|
03-21-2006, 02:17 AM
|
#3
|
|
Member
Registered: Nov 2004
Location: BIOS
Distribution: RHEL3.0, FreeBSD 5.x, Debian 3.x, Soaris x86 v10
Posts: 379
Rep:
|
Try
iptable -I INPUT -s 84.56.245.11 -j DROP
Above rule should drop any connection attempt from IP 84.56.245.11
To kill established connection use tcpkill ( http://www.cyberciti.biz/howto/quest...ux-netstat.php); it is a good idea to block all incoming request |
|
|
|
|
03-21-2006, 02:42 AM
|
#4
|
|
Senior Member
Registered: Sep 2005
Location: Out
Posts: 3,307
Rep:
|
or if you don't manage to compile quickly enough tcpkill, you can reroute this IP to your localhost:
Code:
route add 84.56.245.11 gw 127.0.0.1
Doesn't replace iptable nor tcpkill but its a quick way to drop a connection at IP level |
|
|
|
|
03-21-2006, 03:03 AM
|
#5
|
|
LQ Guru
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733
|
sunrpc is the port for the portmapper. This service runs if you use NFS for example.
This link may be useful.
http://probing.csx.cam.ac.uk/about/sunrpc.html
This page also links to a portmapper replacement, written by the same person to wrote postfix.
The replacement provides logging and ACLs.
If that IP address is suspect, you might consider blocking it out totally.
Last edited by jschiwal; 03-21-2006 at 03:05 AM.
|
|
|
|
|
03-21-2006, 03:45 AM
|
#6
|
|
Moderator
Registered: May 2001
Posts: 29,417
|
@math_physics: //Moderator.note: unfortunately you have posted two similar messages in one forum, which is against the LQ Rules. Cross-posting and posting duplicates is considered bad netiquette on your part, a waste of resources on LQ's part and a waste of time for LQ members who take the time to read and answer your question(s). Please do not do that again. Your threads have been merged for everyones convenience. |
|
|
|
|
03-21-2006, 03:57 AM
|
#7
|
|
Senior Member
Registered: Sep 2005
Location: Out
Posts: 3,307
Rep:
|
To see why rpc is installed, you can get the registered rpc services by doing:
Code:
rpcinfo -p localhost
Could be famd,nfs for example
If you don't need these services, remove portmap
If you don't want to export anything to the outside but still want to keep portmap running you can restrict it with tcp_wrapper. To restrict it only to localhost, you can launch portmap to listen only to localhost.
In debian (maybe others) edit /etc/init.d/portmap
Code:
OPTIONS="-i 127.0.0.1"
|
|
|
|
All times are GMT -5. The time now is 10:25 PM.
|
|
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
|
 Latest Threads
LQ News
|
|
