linux security - Jan 2000 - portmap messages under /var/log/messages

I am running Redhat 6.1 as a firewall between a cable modem and my home
network.

Occasionally, I see messages such as these under /var/log/messages:
Jan 17 13:38:16 saturn5 portmap[3726]: connect from 24.28.77.200 to dump():
request from unauthorized host
Jan 18 14:00:34 saturn5 portmap[1544]: connect from 204.151.148.146 to
dump(): request from unauthorized host

My assumption is that the service is fulfilling its purpose of rejecting
unauthorized traffic.  However, I'm curious.  Search as I will, I have been
unable to find any information about dump() that apparently is being probed
on random IP addresses.

Can anyone clue me into this?

Thanks to everyone who's responded.  I've been asked to sumarize the
responses that I've received to this inquery.

I should have caught the fact that the message was referring to the portmap
service, which is unnecessary (and a security risk) if the server is not
using the NFS services.  I have since disabled the portmap service on that
server.

Apparently the dump() message is generated whenever a call to rpcinfo -p is
made to that port.

I had a couple of people suggest that this might be an attempt to flood ping
my server.  However, I hope this server is resistant to this type of attack,
since the server is not "pingable", configured via "echo
"1" >
/proc/sys/net/ipv4/icmp_echo_ignore_all".

Thanks to all.
-------------
> I am running Redhat 6.1 as a firewall between a cable modem and my home
> network.
>
> Occasionally, I see messages such as these under /var/log/messages:
> Jan 17 13:38:16 saturn5 portmap[3726]: connect from 24.28.77.200 to
dump():
> request from unauthorized host
> Jan 18 14:00:34 saturn5 portmap[1544]: connect from 204.151.148.146 to
> dump(): request from unauthorized host
>
> My assumption is that the service is fulfilling its purpose of rejecting
> unauthorized traffic.  However, I'm curious.  Search as I will, I have
been
> unable to find any information about dump() that apparently is being
probed
> on random IP addresses.
>
> Can anyone clue me into this?
>

On Fri, Feb 11, 2000 at 07:28:18PM -0500, Mike Starr
wrote:
> I had a couple of people suggest that this might be an attempt to flood
ping
> my server.  However, I hope this server is resistant to this type of
attack,
> since the server is not "pingable", configured via "echo
"1" >
> /proc/sys/net/ipv4/icmp_echo_ignore_all".
Just for your information:

(1)
RFC 792: 	INTERNET CONTROL MESSAGE PROTOCOL
[snip]
   ICMP is actually an integral part of IP, and
   must be implemented by every IP module.
[snip]
      The data received in the echo message must be returned in the echo
      reply message.
[snip]

(2)
RFC 2463: 
               Internet Control Message Protocol (ICMPv6)
               for the Internet Protocol Version 6 (IPv6)
[snip]
   ICMPv6 is an integral part of
   IPv6 and MUST be fully implemented by every IPv6 node.
[snip]
   Every node MUST implement an ICMPv6 Echo responder function that
   receives Echo Requests and sends corresponding Echo Replies.  A node
   SHOULD also implement an application-layer interface for sending Echo
   Requests and receiving Echo Replies, for diagnostic purposes.
[snip]

(3)
RFC 2119:	Key words for use in RFCs to Indicate Requirement Levels
[snip]
1. MUST   This word, or the terms "REQUIRED" or "SHALL",
mean that the
   definition is an absolute requirement of the specification.
[snip]

Have a nice ~STANDARD~ day

-- 
< Martin Mačok        martin.macok@underground.cz          
<iso-8859-2>
  \\  http://kocour.ms.mff.cuni.cz/~macok/  http://underground.cz/  //
    \\\             -=  t.r.u.s.t  n.0  o.n.e  =-                ///