Marcus Meissner:
On Sun, Dec 01, 2013 at 10:03:06AM -0800, jdebert wrote:
Just a preliminary note:
found nfs & rpc exposed on the external interface.
[snip]
What do you see with nmap? WHat is your configuration of SuSEFirewall2?
And not, it shouldn't allow that.
Ciao, Marcus
Hi, Here's the output of nmap & the SuSEfirewall2 config. Edited to hide identifying info. nmap tells me: Initiating SYN Stealth Scan at 09:25 Scanning $EXTINTERFACE [1000 ports] Discovered open port 111/tcp on $EXTINTERFACE Discovered open port 37/tcp on $EXTINTERFACE Discovered open port 2049/tcp on $EXTINTERFACE Discovered open port 19/tcp on $EXTINTERFACE Discovered open port 13/tcp on $EXTINTERFACE Completed SYN Stealth Scan at 09:25, 0.18s elapsed (1000 total ports) Initiating UDP Scan at 09:25 Scanning $EXTINTERFACE [1000 ports] Discovered open port 111/udp on $EXTINTERFACE Discovered open port 19/udp on $EXTINTERFACE Discovered open port 13/udp on $EXTINTERFACE Discovered open port 37/udp on $EXTINTERFACE Discovered open port 2049/udp on $EXTINTERFACE Completed UDP Scan at 09:25, 1.24s elapsed (1000 total ports) Initiating Service scan at 09:25 Scanning 13 services on $EXTINTERFACE Discovered open port 1023/udp on $EXTINTERFACE Discovered open|filtered port 1023/udp on $EXTINTERFACE is actually open Completed Service scan at 09:27, 82.58s elapsed (13 services on 1 host) (and) Nmap scan report for $EXTINTERFACE Host is up (0.00017s latency). Not shown: 1987 closed ports PORT STATE SERVICE VERSION 13/tcp open daytime |_banner: 01 DEC 2013 09:27:31 PST |_daytime: 01 DEC 2013 09:27:32 PST 19/tcp open chargen xinetd chargen | banner: YZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}!"#$%&'()*+,-./0123456789: |_;<=>?@ABC\x0D\x0AZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}!"#$%&'()*+,-./... 37/tcp open time (32 bits) |_banner: \xD6E\xF0\x03 111/tcp open rpcbind 2-4 (RPC #100000) | nfs-ls: | Arguments: | maxfiles: 10 (file listing output limited) | | NFS Export /export/somedir |_ ERROR: Mount failed: Permission denied. | nfs-showmount: |_ /export/somedir nnn.nnn.nnn.nnn, nnn.nnn.nnn.nnn | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/udp rpcbind | 100003 2,3 2049/tcp nfs | 100003 2,3 2049/udp nfs | 100005 1,2,3 40638/tcp mountd | 100005 1,2,3 42804/udp mountd | 100021 1,3,4 44864/tcp nlockmgr | 100021 1,3,4 50771/udp nlockmgr | 100024 1 47924/tcp status | 100024 1 52634/udp status | 100227 2,3 2049/tcp nfs_acl |_ 100227 2,3 2049/udp nfs_acl 2049/tcp open nfs 2-3 (RPC #100003) | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/udp rpcbind | 100003 2,3 2049/tcp nfs | 100003 2,3 2049/udp nfs | 100005 1,2,3 40638/tcp mountd | 100005 1,2,3 42804/udp mountd | 100021 1,3,4 44864/tcp nlockmgr | 100021 1,3,4 50771/udp nlockmgr | 100024 1 47924/tcp status | 100024 1 52634/udp status | 100227 2,3 2049/tcp nfs_acl |_ 100227 2,3 2049/udp nfs_acl 13/udp open daytime |_daytime: 01 DEC 2013 09:27:34 PST 19/udp open chargen 37/udp open time (32 bits) 111/udp open rpcbind 2-4 (RPC #100000) | nfs-ls: | Arguments: | maxfiles: 10 (file listing output limited) | | NFS Export /export/somedir |_ ERROR: Mount failed: Permission denied. | nfs-showmount: |_ /export/somedir nnn.nnn.nnn.nnn, nnn.nnn.nnn.nnn | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/udp rpcbind | 100003 2,3 2049/tcp nfs | 100003 2,3 2049/udp nfs | 100005 1,2,3 40638/tcp mountd | 100005 1,2,3 42804/udp mountd | 100021 1,3,4 44864/tcp nlockmgr | 100021 1,3,4 50771/udp nlockmgr | 100024 1 47924/tcp status | 100024 1 52634/udp status | 100227 2,3 2049/tcp nfs_acl |_ 100227 2,3 2049/udp nfs_acl 123/udp open|filtered ntp 631/udp open|filtered ipp 1023/udp open rpcbind 2-4 (RPC #100000) | nfs-ls: | Arguments: | maxfiles: 10 (file listing output limited) | | NFS Export /export/somedir |_ ERROR: Mount failed: Permission denied. | nfs-showmount: |_ /export/somedir nnn.nnn.nnn.nnn, nnn.nnn.nnn.nnn | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/udp rpcbind | 100003 2,3 2049/tcp nfs | 100003 2,3 2049/udp nfs | 100005 1,2,3 40638/tcp mountd | 100005 1,2,3 42804/udp mountd | 100021 1,3,4 44864/tcp nlockmgr | 100021 1,3,4 50771/udp nlockmgr | 100024 1 47924/tcp status | 100024 1 52634/udp status | 100227 2,3 2049/tcp nfs_acl |_ 100227 2,3 2049/udp nfs_acl 2049/udp open nfs 2-3 (RPC #100003) | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/udp rpcbind | 100003 2,3 2049/tcp nfs | 100003 2,3 2049/udp nfs | 100005 1,2,3 40638/tcp mountd | 100005 1,2,3 42804/udp mountd | 100021 1,3,4 44864/tcp nlockmgr | 100021 1,3,4 50771/udp nlockmgr | 100024 1 47924/tcp status | 100024 1 52634/udp status | 100227 2,3 2049/tcp nfs_acl |_ 100227 2,3 2049/udp nfs_acl zennmap also detailed connections made to each port listed in rpcinfo above in a graphic report I couldn't copy. (and after stopping nfsserver) Nmap scan report for $EXTINTERFACE Host is up (0.00015s latency). Not shown: 65531 closed ports PORT STATE SERVICE VERSION 13/tcp open daytime 19/tcp open chargen xinetd chargen 37/tcp open time (32 bits) 111/tcp open rpcbind 2-4 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind |_ 100000 2,3,4 111/udp rpcbind No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ). (/etc/sysconfig/SuSEfirewall2, sans comments) FW_DEV_EXT="modem0 modem1 modem2 modem3" FW_DEV_INT="eth0 eth1 eth2 eth3" FW_DEV_DMZ="" FW_ROUTE="no" FW_MASQUERADE="no" FW_MASQ_DEV="" FW_MASQ_NETS="" FW_NOMASQ_NETS="" FW_PROTECT_FROM_INT="no" FW_SERVICES_EXT_TCP="" FW_SERVICES_EXT_UDP="" FW_SERVICES_EXT_IP="" FW_SERVICES_EXT_RPC="" FW_CONFIGURATIONS_EXT="" FW_SERVICES_DMZ_TCP="" FW_SERVICES_DMZ_UDP="" FW_SERVICES_DMZ_IP="" FW_SERVICES_DMZ_RPC="" FW_CONFIGURATIONS_DMZ="" FW_SERVICES_INT_TCP="" FW_SERVICES_INT_UDP="" FW_SERVICES_INT_IP="" FW_SERVICES_INT_RPC="" FW_CONFIGURATIONS_INT="" FW_SERVICES_DROP_EXT="" FW_SERVICES_DROP_DMZ="" FW_SERVICES_DROP_INT="" FW_SERVICES_REJECT_EXT="" FW_SERVICES_REJECT_DMZ="" FW_SERVICES_REJECT_INT="" FW_SERVICES_ACCEPT_EXT="" FW_SERVICES_ACCEPT_DMZ="" FW_SERVICES_ACCEPT_INT="($INTINTERFACE),tcp,time FW_SERVICES_ACCEPT_RELATED_EXT="" FW_SERVICES_ACCEPT_RELATED_DMZ="" FW_SERVICES_ACCEPT_RELATED_INT="" FW_TRUSTED_NETS="" FW_FORWARD="" FW_FORWARD_REJECT="" FW_FORWARD_DROP="" FW_FORWARD_MASQ="" FW_REDIRECT="" FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="yes" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="no" FW_LOG_LIMIT="" FW_LOG="" FW_KERNEL_SECURITY="" FW_STOP_KEEP_ROUTING_STATE="" FW_ALLOW_PING_FW="" FW_ALLOW_PING_DMZ="" FW_ALLOW_PING_EXT="" FW_ALLOW_FW_SOURCEQUENCH="" FW_ALLOW_FW_BROADCAST_EXT="no" FW_ALLOW_FW_BROADCAST_INT="no" FW_ALLOW_FW_BROADCAST_DMZ="no" FW_IGNORE_FW_BROADCAST_EXT="no" FW_IGNORE_FW_BROADCAST_INT="no" FW_IGNORE_FW_BROADCAST_DMZ="no" FW_ALLOW_CLASS_ROUTING="" FW_CUSTOMRULES="" FW_REJECT="" FW_REJECT_INT="" FW_HTB_TUNE_DEV="" FW_IPv6="" FW_IPv6_REJECT_OUTGOING="" FW_IPSEC_TRUST="no" FW_ZONES="" FW_ZONE_DEFAULT='' FW_USE_IPTABLES_BATCH="" FW_LOAD_MODULES="nf_conntrack_netbios_ns" FW_FORWARD_ALWAYS_INOUT_DEV="" FW_FORWARD_ALLOW_BRIDGING="" FW_WRITE_STATUS="" FW_RUNTIME_OVERRIDE="" FW_LO_NOTRACK="" FW_BOOT_FULL_INIT="" -- jd -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org