kmack Posted March 5, 2003 Report Share Posted March 5, 2003 http://www.computerworld.com/securitytopic...1,79015,00.html ://http://www.computerworld.com/securi...,79015,00.html ://http://www.computerworld.com/securi...,79015,00.html Older versions of Snort are vulnerable according to this article. I notice RPC is running all the time on my system and wonder if is a vulnerability? I really don't fully understand if RPC is needed all the time-- the manpage is a bit over my level of knowledge. Can someone tell me how to secure RPC? Does it have to run in the background all the time? It appears to be port mapping on the local box. I run ML 9.0 behind a 4 port router/cable modem connection with plain ML security settings. No LAN setup at this point though router is used by a laptop for biz email via vpn that I haven't figured out how to do in ML yet. TIA for any ideas/input. Quote Link to comment Share on other sites More sharing options...
b Posted March 5, 2003 Report Share Posted March 5, 2003 Hi Got the snort email alert too. Nothing pressing here since RPC does not run here, it is usually not needed. If it is not running it cannot be exploited ! Will upgrade soon anyway. Since you don't have a Lan setup yet you certainly don't need/use NIS, NFS or r services.(might be more rpc uses: don't know) i.e. you don't need rpc services. Turn them off (portmap, nfs, nis). rpcinfo -p (to check) (you can always turn them back on if needed or if something breaks!?) However if your router device can firewall too and you need NFS(soon will be openafs for me) on lan(remove r services use ssh instead) make sure it does not allow outside(web) connections to ports.(/etc/services) sunrpc 111/tcp portmapper # RPC 4.0 portmapper TCP sunrpc 111/udp portmapper My firewall machine often drops port 111 attempts even though that port is not open ! (They are fishing in an empty ocean) Hope your plain ML security settings include a firewall denying what you do not what to supply to the www. Some reading: The Linux System Administrators' Guide at http://www.tldp.org/guides.html Ch. 12 Remote Procedure Call HIH Quote Link to comment Share on other sites More sharing options...
kmack Posted March 5, 2003 Author Report Share Posted March 5, 2003 http://www.securityfocus.com/archive/96/31...02/2003-03-08/0 From this, it looks like there is a possible threat to anyone running Snort at this point. Still not sure if RPC needs to always be running or not. Anyone know? Quote Link to comment Share on other sites More sharing options...
kmack Posted March 5, 2003 Author Report Share Posted March 5, 2003 Thanks b!! Good info! Yes, I have pretty much shut most services down per normal security procedures, but the portmap seems to still be running and initiates the rpc. I have a hunch it is from the Java plugins I installed for my browser. I almost downloaded Snort and put in on last weekend! Then I saw this alert today and yikes! I am seeing lots of internet sites hit by DOS and think there is some sort of major attack going on again. Too bad. I don't want to leave the door open for someone to use my machine if I can help it. :wink: Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.