Bugtraq mailing list archives

Re: NFS packet blocking (Was Mouse EXPLOIT info...)

From: rafi () tavor openu ac il (Rafi Sadowsky)
Date: Thu, 19 Jan 1995 20:08:15 +0200 (IST)


On Wed, 18 Jan 1995, Dave Williss wrote:

In previous message, Christopher Klaus said...

Why can't you make mountd on Ultrix 4.X reject mount requests from 
non-privileged ports? turning on "nfsportmon" in the kernel doesn't
quite do the job properly. Things that make you go hmmm...

Install a good portmapper so that remote hosts can't easily find what port
mountd is on.  A better solution is to make sure that your routers kill
all NFS packets from remote nets.


Any idea what I should block on my router to do this?  I have a cicsco
router if that's any help.

port 2049 is the NFS port ( normally UDP but the TCP port should be 
blocked too as some newer NFS implementations support TCP ...)
blocking it at your router should ( I think ) block all NFS attacks


Also, does anybody know of a mailing list or FAQ for cisco setup.  I find 
their manuals cryptic.

for a cisco the following line in an access list should block incoming NFS
to class B net 147.233

access-list 1<xx> deny udp 0.0.0.0 255.255.255.255 147.233.0.0 0.0.255.255 
        eq 2049
(one line - this of course does UDP only & the access list must be 100-199
of course you would have to allow the conections you do want to allow - as
there is an implicit deny all packet at the end of each access list )


while on the *incoming*  port you would have
int eth <n>
access-group 1<xx>

(if you have version 10.X you can also block on the outgoing port - 
        RTFM.. :-)

-- 
David C. Williss                          #include <standard.disclaimer>
Software Engineer -- MicroImages, Inc.                dwilliss () microimages com
WWW: http://tnt.microimages.com/~dwilliss       dwilliss () csealumni unl edu
-- PGP Public Key available via finger from: dwilliss () csealumni unl edu --

-- 
Rafi Sadowsky                                   rafi () tavor openu ac il
[postmaster () openu ac il]                        FAX: +972-3-6460483

Current thread:

re: WWW Servers Bandwidth flood on Internet Rikhardur Egilsson (Jan 18)
- Re: WWW Servers Bandwidth flood on Internet Casper Dik (Jan 18)
- NFS packet blocking (Was Mouse EXPLOIT info...) Dave Williss (Jan 18)
  - Re: NFS packet blocking (Was Mouse EXPLOIT info...) Rafi Sadowsky (Jan 19)
    - Re: NFS packet blocking (Was Mouse EXPLOIT info...) jsz (Jan 20)
    - Re: NFS packet blocking (Was Mouse EXPLOIT info...) Darren Reed (Jan 20)
    - Re: NFS packet blocking (Was Mouse EXPLOIT info...) Casper Dik (Jan 20)
- <Possible follow-ups>
- Re: WWW Servers Bandwidth flood on Internet der Mouse (Jan 18)
  - Re: WWW Servers Bandwidth flood on Internet Casper Dik (Jan 18)