Bugtraq mailing list archives
Re: NFS packet blocking (Was Mouse EXPLOIT info...)
From: jsz () ramon bgu ac il (jsz)
Date: Fri, 20 Jan 1995 14:48:39 +0200 (IST)
Why can't you make mountd on Ultrix 4.X reject mount requests from non-privileged ports? turning on "nfsportmon" in the kernel doesn't quite do the job properly. Things that make you go hmmm...Install a good portmapper so that remote hosts can't easily find what port mountd is on. A better solution is to make sure that your routers kill all NFS packets from remote nets.
I'd not call it a real solution, although it somewhat prevents from all type of attempts to locate what rpc services you run from remote -- but in this case not all the readers of this list can use it -- depends on a policy of company (or educational institute) if they allow usage of third party software, and etc.
Any idea what I should block on my router to do this? I have a cicsco router if that's any help.
port 2049 is the NFS port ( normally UDP but the TCP port should be blocked too as some newer NFS implementations support TCP ...) blocking it at your router should ( I think ) block all NFS attacks
Sun's NFS implementation always used TCP as well as UDP -- a better idea would be to block portmapper (111 udp/tcp) as well as NFS --- but it depends on how paranoid you wish to be. Blocking tcp/udp 2049 will not prevent *ALL* NFS attacks -- you might still be able to get the fh's through source routed requests to rpc.mountd (which might run on TCP & UDP ports), but it won't give you any access -- you can never retrieve any data, because you can't get a reply send back to you (you'd need to fake the src address to get a reply, but you won't pass the filters if you want the reply.. UDP doesn't have an IP_OPTIONS, thus doesn't support source routing.) if NFS is filtered at the router, you will be able to send "unlink" requests (using the fh's you have) but it will only cause damage, which is still dangerous enough.
Also, does anybody know of a mailing list or FAQ for cisco setup. I find their manuals cryptic.
If you're using a cisco router, you should have the manuals -- but I believe this discussion might not belong to this list. rgrds, ---
Current thread:
- re: WWW Servers Bandwidth flood on Internet Rikhardur Egilsson (Jan 18)
- Re: WWW Servers Bandwidth flood on Internet Casper Dik (Jan 18)
- NFS packet blocking (Was Mouse EXPLOIT info...) Dave Williss (Jan 18)
- Re: NFS packet blocking (Was Mouse EXPLOIT info...) Rafi Sadowsky (Jan 19)
- Re: NFS packet blocking (Was Mouse EXPLOIT info...) jsz (Jan 20)
- Re: NFS packet blocking (Was Mouse EXPLOIT info...) Darren Reed (Jan 20)
- Re: NFS packet blocking (Was Mouse EXPLOIT info...) Casper Dik (Jan 20)
- Re: NFS packet blocking (Was Mouse EXPLOIT info...) Rafi Sadowsky (Jan 19)
- <Possible follow-ups>
- Re: WWW Servers Bandwidth flood on Internet der Mouse (Jan 18)
- Re: WWW Servers Bandwidth flood on Internet Casper Dik (Jan 18)