Groups | Search | Server Info | Login | Register

Groups > comp.os.linux.security > #662

Re: portmap/rpcbind and tcpwrapper

From William Unruh <unruh@invalid.ca>
Newsgroups alt.os.linux.mageia, comp.os.linux.security
Subject Re: portmap/rpcbind and tcpwrapper
Date 2015-10-10 15:58 +0000
Organization A noiseless patient Spider
Message-ID <mvbcjd$s4i$1@dont-email.me> (permalink)
References <muiog2$qbj$1@dont-email.me> <5619135e$0$23831$e4fe514c@news.xs4all.nl>

Cross-posted to 2 groups.

Show all headers | View raw

On 2015-10-10, Rob van der Putten <rob@sput.nl> wrote:
> Hi there
>
>
> William Unruh wrote:
>
>> portmap/rpcbind is supposed to controllabl by tcpwrapper. I have a line
>> rpcbind portmap: ALL:deny
>
> Try;
> portmap: ALL: deny

Nope. rpcbind has tcpwrappers disables by default, and Mageia (and I
suspect many other distros) just accepts the default. 

>
>> in /etc/hosts.allow after a line
>> rpcbind portmap: 192.168.0.0/24 : allow
>
> Try;
> portmap: 192.168.0.0/24 : allow

??? tcpwrappers accepts the  a b c d: addr1 addr2 : 
form in /etc/hosts.allow. 

>
>> But then I can still run rpcinfo on a machine from outside that network
>> and et responses.
>> Does rpcbind respect tcpwrapper or not?
>
> Yes.

No it does not. I looked at the source, and in configure is
  --enable-libwrap        Enables host name checking through tcpd [default=no]

  Note the default. This is something that has happened secretly in the
  past two years. 

  The problem is that my one machine is "known" to have an open rpcinfo,
  and thus it keeps getting hammered by this stupic rpc amplification
  attack, even after I have enabled tcpwrapppers ( and it works as the
  logs say) Since the udp packets response is being misdirected there is
  no way the attacker knows that his amplification is not working so it
  keeps on going. 10000 attempts per day filling my tcpwrapper logs. 



>
>
> Regards,
> Rob

Back to comp.os.linux.security | Previous | NextPrevious in thread | Next in thread | Find similar

Thread

portmap/rpcbind and tcpwrapper William Unruh <unruh@invalid.ca> - 2015-10-01 07:48 +0000
  Re: portmap/rpcbind and tcpwrapper Rob van der Putten <rob@sput.nl> - 2015-10-10 15:32 +0200
    Re: portmap/rpcbind and tcpwrapper William Unruh <unruh@invalid.ca> - 2015-10-10 15:58 +0000
      Re: portmap/rpcbind and tcpwrapper Pascal Hambourg <boite-a-spam@plouf.fr.eu.org> - 2015-10-10 18:31 +0200
        Re: portmap/rpcbind and tcpwrapper William Unruh <unruh@invalid.ca> - 2015-10-10 20:11 +0000
          Re: portmap/rpcbind and tcpwrapper Pascal Hambourg <boite-a-spam@plouf.fr.eu.org> - 2015-10-11 11:37 +0200
          Re: portmap/rpcbind and tcpwrapper Rob van der Putten <rob@sput.nl> - 2015-10-12 09:54 +0200
            Re: portmap/rpcbind and tcpwrapper William Unruh <unruh@invalid.ca> - 2015-10-12 17:09 +0000
              Re: portmap/rpcbind and tcpwrapper Pascal Hambourg <boite-a-spam@plouf.fr.eu.org> - 2015-10-12 21:01 +0200
                Re: portmap/rpcbind and tcpwrapper William Unruh <unruh@invalid.ca> - 2015-10-12 22:18 +0000
              Re: portmap/rpcbind and tcpwrapper Rob van der Putten <rob@sput.nl> - 2015-10-12 21:39 +0200
  Re: portmap/rpcbind and tcpwrapper "SyMcBean ( http://lampe2e.blogspot.co.uk )" <colin.mckinnon@gmail.com> - 2015-10-22 14:55 -0700
    Re: portmap/rpcbind and tcpwrapper William Unruh <unruh@invalid.ca> - 2015-10-23 00:15 +0000

csiph-web