portmap attack
It doesn't appear someone got into my system but I'm a bit concerned by the entries listed
below. This is a limited access system and I pretty much have everything blocked except for two external hosts in hosts.allow then deny everything else. --------------------------------------------------------------------------------------- Dec 11 01:59:25 glyph portmap[27020]: connect from 61.161.139.6 to getport(status): request from unauthorized host Dec 15 22:14:25 glyph portmap[7868]: connect from 221.116.253.130 to getport(status): request from unauthorized host ---------------------------------------------------------------------------------------- is this cause for alarm? Is there a better way to block requests to portmap? I also didn't like this much: ---------------------------------------------------------------------------- Nov 18 06:06:55 glyph portmap[9926]: connect from 220.248.181.22 to dump(): request from unauthorized host Dec 9 11:48:16 glyph portmap[10990]: connect from 200.56.98.77 to dump(): request from unauthorized host ----------------------------------------------------------------------------- |
5.2.2. Protect portmap With iptables
To further restrict access to the portmap service, it is a good idea to add iptables rules to the server restricting access to specific networks. Below is are two example iptables commands that allow TCP connections to the portmap service (listening on port 111) from the 192.168.0/24 network and from the localhost (which is necessary for the sgi_fam service used by Nautilus). All other packets are dropped. iptables -A INPUT -p tcp -s! 192.168.0.0/24 --dport 111 -j DROP iptables -A INPUT -p tcp -s 127.0.0.1 --dport 111 -j ACCEPT To similarly limit UDP traffic, use the following command. iptables -A INPUT -p udp -s! 192.168.0.0/24 --dport 111 -j DROP |
All times are GMT -5. The time now is 02:53 PM. |