I am running Redhat 6.1 as a firewall between a cable modem and my home network. Occasionally, I see messages such as these under /var/log/messages: Jan 17 13:38:16 saturn5 portmap[3726]: connect from 24.28.77.200 to dump(): request from unauthorized host Jan 18 14:00:34 saturn5 portmap[1544]: connect from 204.151.148.146 to dump(): request from unauthorized host My assumption is that the service is fulfilling its purpose of rejecting unauthorized traffic. However, I'm curious. Search as I will, I have been unable to find any information about dump() that apparently is being probed on random IP addresses. Can anyone clue me into this?
Thanks to everyone who's responded. I've been asked to sumarize the responses that I've received to this inquery. I should have caught the fact that the message was referring to the portmap service, which is unnecessary (and a security risk) if the server is not using the NFS services. I have since disabled the portmap service on that server. Apparently the dump() message is generated whenever a call to rpcinfo -p is made to that port. I had a couple of people suggest that this might be an attempt to flood ping my server. However, I hope this server is resistant to this type of attack, since the server is not "pingable", configured via "echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all". Thanks to all. -------------> I am running Redhat 6.1 as a firewall between a cable modem and my home > network. > > Occasionally, I see messages such as these under /var/log/messages: > Jan 17 13:38:16 saturn5 portmap[3726]: connect from 24.28.77.200 todump():> request from unauthorized host > Jan 18 14:00:34 saturn5 portmap[1544]: connect from 204.151.148.146 to > dump(): request from unauthorized host > > My assumption is that the service is fulfilling its purpose of rejecting > unauthorized traffic. However, I'm curious. Search as I will, I havebeen> unable to find any information about dump() that apparently is beingprobed> on random IP addresses. > > Can anyone clue me into this? >
On Fri, Feb 11, 2000 at 07:28:18PM -0500, Mike Starr wrote:> I had a couple of people suggest that this might be an attempt to flood ping > my server. However, I hope this server is resistant to this type of attack, > since the server is not "pingable", configured via "echo "1" > > /proc/sys/net/ipv4/icmp_echo_ignore_all".Just for your information: (1) RFC 792: INTERNET CONTROL MESSAGE PROTOCOL [snip] ICMP is actually an integral part of IP, and must be implemented by every IP module. [snip] The data received in the echo message must be returned in the echo reply message. [snip] (2) RFC 2463: Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) [snip] ICMPv6 is an integral part of IPv6 and MUST be fully implemented by every IPv6 node. [snip] Every node MUST implement an ICMPv6 Echo responder function that receives Echo Requests and sends corresponding Echo Replies. A node SHOULD also implement an application-layer interface for sending Echo Requests and receiving Echo Replies, for diagnostic purposes. [snip] (3) RFC 2119: Key words for use in RFCs to Indicate Requirement Levels [snip] 1. MUST This word, or the terms "REQUIRED" or "SHALL", mean that the definition is an absolute requirement of the specification. [snip] Have a nice ~STANDARD~ day -- < Martin Mačok martin.macok@underground.cz <iso-8859-2> \\ http://kocour.ms.mff.cuni.cz/~macok/ http://underground.cz/ // \\\ -= t.r.u.s.t n.0 o.n.e =- ///
Apparently Analagous Threads
- rh62 suid files
- [Bug 1276] New: "icmpv6 code" test returns wrong data type.
- Is it possible to block ipv6 auto configuration entering the tinc tunnel?
- Re: Is it possible to block ipv6 auto configuration entering the tinc tunnel?
- [Bug 1073] New: inet-service vs icmp conflict