mountd and ports (again)

mountd and ports (again)

Post by rick rauenza » Mon, 28 Jan 2002 01:16:39



already posted to comp.os.linux.admin, with no response.
sorry for the gratuitous use of extra bandwidth.

one of our security scanning scripts warned us that  
mountd is running on a non-reserved port (RH 7.1).

from rpcinfo -p:
  program vers proto   port
    100000    2   tcp    111  portmapper
    100000    2   udp    111  portmapper
    100024    1   udp  32768  status
    100024    1   tcp  32768  status
    100021    1   udp  32770  nlockmgr
    100021    3   udp  32770  nlockmgr
    100021    4   udp  32770  nlockmgr
    100011    1   udp    946  rquotad
    100011    2   udp    946  rquotad
    100011    1   tcp    949  rquotad
    100011    2   tcp    949  rquotad
    100005    1   udp  32771  mountd
    100005    1   tcp  32769  mountd
    100005    2   udp  32771  mountd
    100005    2   tcp  32769  mountd
    100005    3   udp  32771  mountd
    100005    3   tcp  32769  mountd
    100003    2   udp   2049  nfs
    100003    3   udp   2049  nfs
    300598    1   tcp    699

is this an issue to be concerned about?  i thought that
linux used a specific (privileged) port for mountd.

R

 
 
 

mountd and ports (again)

Post by John Sag » Mon, 28 Jan 2002 02:57:03



FWIW, on RHL 7.2 I have this:


   program vers proto   port
    100000    2   tcp    111  portmapper
    100000    2   udp    111  portmapper
    100024    1   udp  32768  status
    100024    1   tcp  32768  status
    100011    1   udp    710  rquotad
    100011    2   udp    710  rquotad
    100005    1   udp  32769  mountd
    100005    1   tcp  32769  mountd
    100005    2   udp  32769  mountd
    100005    2   tcp  32769  mountd
    100005    3   udp  32769  mountd
    100005    3   tcp  32769  mountd
    100003    2   udp   2049  nfs
    100003    3   udp   2049  nfs
    100021    1   udp  32770  nlockmgr
    100021    3   udp  32770  nlockmgr
    100021    4   udp  32770  nlockmgr

- John

--
You can never have too many shells

Quote:> already posted to comp.os.linux.admin, with no response. sorry for the
> gratuitous use of extra bandwidth.  one of our security scanning scripts
> warned us that mountd is running on a non-reserved port (RH 7.1).  from
> rpcinfo -p:
>   program vers proto   port
>     100000    2   tcp    111  portmapper
>     100000    2   udp    111  portmapper
>     100024    1   udp  32768  status
>     100024    1   tcp  32768  status
>     100021    1   udp  32770  nlockmgr
>     100021    3   udp  32770  nlockmgr
>     100021    4   udp  32770  nlockmgr
>     100011    1   udp    946  rquotad
>     100011    2   udp    946  rquotad
>     100011    1   tcp    949  rquotad
>     100011    2   tcp    949  rquotad
>     100005    1   udp  32771  mountd
>     100005    1   tcp  32769  mountd
>     100005    2   udp  32771  mountd
>     100005    2   tcp  32769  mountd
>     100005    3   udp  32771  mountd
>     100005    3   tcp  32769  mountd
>     100003    2   udp   2049  nfs
>     100003    3   udp   2049  nfs
>     300598    1   tcp    699
> is this an issue to be concerned about?  i thought that linux used a
> specific (privileged) port for mountd.  R


 
 
 

mountd and ports (again)

Post by lynx » Mon, 28 Jan 2002 03:52:33




Quote:> one of our security scanning scripts warned us that mountd is running on
> a non-reserved port (RH 7.1).

i thought keeping track of what port numbers RPC services run on, to
enable them to run wherever, was one of the things portmapper was *for*.
i could be wrong, i guess, but AFAIK there is no well-known port reserved
for mountd. my /etc/services doesn't list it anywhere.

--
   PGP/GnuPG key (ID 1024D/07A530D6) available from keyservers everywhere
    Key fingerprint = B5A8 62AD 8263 5415 7C3C  9245 50A7 FD59 07A5 30D6
                             "...life goes on
                  long after the thrill of living is gone..."

 
 
 

mountd and ports (again)

Post by craw.. » Tue, 29 Jan 2002 12:33:29





> > one of our security scanning scripts warned us that mountd is running on
> > a non-reserved port (RH 7.1).

> i thought keeping track of what port numbers RPC services run on, to
> enable them to run wherever, was one of the things portmapper was *for*.
> i could be wrong, i guess, but AFAIK there is no well-known port reserved
> for mountd. my /etc/services doesn't list it anywhere.

NFS/mountd/portmap/etc... use a series of ports and protocol to make a
connection. Mountd does not have a fixed port number to use; that is
the function of the portmapper. I posted this a while back to explain
what happens when a nfs connection is made.

client.949   > server.111: tcp 0   S    (Wake up, Neo)
server.111   > client.949: tcp 0   SA   (I'm up)
client.949   > server.111: tcp 0   A    (Good)
client.949   > server.111: tcp 44  PA   (I need a port for mountd)
server.111   > client.949: tcp 0   A    (Ok)
server.111   > client.949: tcp 312 PA   (Here's the port #)
client.949   > server.111: tcp 0   A    (Got it, thanks)
client.949   > server.111: tcp 0   FA   (Good-bye)
server.111   > client.949: tcp 0   FA   (Okay, Good-bye)
client.949   > server.111: tcp 0   A    (Roger that)

client.950   > server.32772: udp 124 (Mount this)
server.32772 > client.950:   udp 56  (Okay, here's some filesystem
info)
client.952   > server.111:   udp 56  (Need a port for nfsd)
server.111   > client.952:   udp 28  (Okay, here's the port #)
client.800   > server.2049:  udp 124 (Need more info about the
filesystem)
server.2049  > client.800:   udp 112 (Here's your info)
client.800   > server.2049:  udp 124 (More stuff?)
server.2049  > client.800:   udp 84  (Okay?)
client.800   > server.2049:  udp 124 (More stuff?)
server.2049  > client.800:   udp 80  (Okay?)

The server/client notes should be obvious as is also < and >. The
numbers that follows are the port numbers. The three numbers that
repeat are 111 (portmapper), 2049 (nfsd), and 800. As per this last
number, your linux system will use 800 if this is the first nfs
connection. The numbers then increment down as additional connections
are made (IIRC, Manfred pointed this out to me).

Note the use of both tcp and udp. S,A,P and F refer to TCP flags (SYN,
ACK, PUSH, and FIN). The other number (listed after tcp and udp)
indicate the length of the packet payload, iirc.

Also note that the client uses a privelege port to establish the
portmap connection.

I know that I have butchered this explaination, but IHTH.

Side note: I've changed to an ISP that does not have cols. Not that I
post a lot of messages but I wonder what my recourse is to keeping up
(and sometimes contributing) with this group? BTW, I'm posting this
via google.

Clyde