portmap attack

jbeiter · 12-16-2004, 03:17 PM

It doesn't appear someone got into my system but I'm a bit concerned by the entries listed
below.

This is a limited access system and I pretty much have everything blocked except for two external hosts in hosts.allow then deny everything else.

---------------------------------------------------------------------------------------
Dec 11 01:59:25 glyph portmap[27020]: connect from 61.161.139.6 to getport(status): request from unauthorized host
Dec 15 22:14:25 glyph portmap[7868]: connect from 221.116.253.130 to getport(status): request from unauthorized host
----------------------------------------------------------------------------------------

is this cause for alarm? Is there a better way to block requests to portmap?

I also didn't like this much:
----------------------------------------------------------------------------
Nov 18 06:06:55 glyph portmap[9926]: connect from 220.248.181.22 to dump(): request from unauthorized host
Dec 9 11:48:16 glyph portmap[10990]: connect from 200.56.98.77 to dump(): request from unauthorized host
-----------------------------------------------------------------------------

jbeiter · 12-17-2004, 02:52 PM

5.2.2. Protect portmap With iptables

To further restrict access to the portmap service, it is a good idea to add iptables rules to the server restricting access to specific networks.

Below is are two example iptables commands that allow TCP connections to the portmap service (listening on port 111) from the 192.168.0/24 network and from the localhost (which is necessary for the sgi_fam service used by Nautilus). All other packets are dropped.

iptables -A INPUT -p tcp -s! 192.168.0.0/24 --dport 111 -j DROP
iptables -A INPUT -p tcp -s 127.0.0.1 --dport 111 -j ACCEPT

To similarly limit UDP traffic, use the following command.

iptables -A INPUT -p udp -s! 192.168.0.0/24 --dport 111 -j DROP