On Sat, Aug 19, 2000 at 06:29:09AM -0500, Richard Rauch wrote:
> I've seen a number of log messages in /var/log/authlog of the form
> ``rpcbind: connect from 216.123.160.11 to dump()''.  (I'm running rpcbind
> since I'm currently using NFS.  I assume that I only need rpcbind running
> on the NFS server, correct?)
> 
> My questions:
> 
>  * This looks to me like someone is trying to scan my system.  I've seen
>    these dump() calls come in from a variety of different addresses over
>    the past few months.  Is it, as I suspect, a likely malicious attempt
>    to get information out of my system?

Quite possible, especially if you don't know what this IP addr is

> 
>  * What can a remote host generally get from me by this?  Suppose that
>    I am running a fairly vanilla system, with some read-only exported
>    NFS filesystems.  Is rpcbind a gaping security hole for a stock NetBSD
>    system?  (Yes, I understand that rpcbind is disabled by default.  Maybe
>    I should say ``an almost-stock NetBSD system''.  (^&)

I suspect it's the equivalent of what 'rpcinfo -p' would tell you.

> 
>  * Is there a simple way that I can disable this without impairing NFS?

Not really

>    (Or, alternatively, a way that I can blacklist addresses from any
>    network contact?)

If you're not behind a filtering router (how comes there are still machines not
protected by a filtering router these days ? :) you can use ipf on you machine
to restrict access to some services. This is the best solution.

--
Manuel Bouyer <bouyer@antioche.eu.org>
--