tcp wrappers and rpc.statd

Paul Lussier p.lussier at comcast.net
Wed Aug 2 11:27:00 EDT 2006 

klussier at comcast.net writes:

> You wouldn't see anything. statd uses the tcp wrapper library, so it
> is in the code. This is the difference between a daemon that is "tcp
> wrappers enabled" meaning it can make use of tcp wrappers if you tell
> it to, and a daemon that "uses tcp wrappers", meaning that it uses tcp
> wrappers whether you like it or not :-)

So, are you saying that this statement:

   This  rpc.statd  version  is  protected by the tcp_wrapper library.

means statd is in the latter category, where statd uses tcp_wrappers
regardless?
  
>>   finger stream tcp nowait nobody /usr/sbin/tcpd /usr/sbin/in.fingerd
>> 
>> Doing on nmap of the system in question shows statd running when
>> probing the 10.0.20.31 interface.
>
> Define "doing an nmap". Are you using nmap to do a tcp connect scan,
> or just to look for sockets? TCP wrappers only works for connection
> attempts.

My exact command was (as nmapfe shows it):

   nmap -sT -sR -sV -I -O -p- -PI -PT 10.0.22.31

Which should translate to:

 -sT    TCP connect() scan
 -sR    RPC  scan
 -sV    Version detection

 -O     Use TCP/IP fingerprinting to guess remote operating system

 -p-    Scan all ports (I think)

 -I    I have no idea, there's no mention of these options in either the
 -PI   man page or --help and scouring the source didn't reveal
 -PT   anything either

So, I'm doing both an rpc scann and a TCP connect scan.  I would
expect that to mean it tries to actually connect to the open port...

>> Adding the line to /etc/hosts.allow does nothing.
>
> Try adding to /etc/hosts.deny "statd: ALL" in addition to the
> hosts.allow entry. If you just add an entry in hosts.allow, you are
> explicitly allowing something, but you aren't denying anything.

Tried and got the same behavior, nmap shows:

  33661/tcp open  status (status V1)       1 (rpc #100024)

And lsof tells me:

  # lsof -i tcp:33661
  COMMAND     PID USER   FD   TYPE  DEVICE SIZE NODE NAME
  rpc.statd 18556 root    5u  IPv4 3132405       TCP *:33661 (LISTEN)

And, it appears that I can connect:

  $ telnet 10.0.22.31 33661
  Trying 10.0.22.31...
  Connected to portal-01.permabit.com (10.0.22.31).
  Escape character is '^]'.

  # lsof -i tcp:33661
  COMMAND     PID USER   FD   TYPE  DEVICE SIZE NODE NAME
  rpc.statd 18556 root    5u  IPv4 3132405       TCP *:33661 (LISTEN)
  rpc.statd 18556 root    6u  IPv4 8913139       TCP portal-05:33661->ethics-gradient:50924 (ESTABLISHED)

The contents of my /etc/hosts.[allow,deny] are:

/etc/hosts.allow:
  statd:   10.123.123.0/255.255.255.0, 10.123.124.0/255.255.255.0

/etc/hosts.deny:
  statd: ALL

The IP of ethics-gradient (the machine from which I created the
connection to the port above) is 10.95.8.16/16, which, based on the
allow/deny configuration, should definitely *not* be allowed to
connect.

Hmmmm, at the bottom of man 8 statd, I see this:

  AUTHORS
         Jeff Uphoff <juphoff at transmeta.com>
         Olaf Kirch <okir at monad.swb.de>
         H.J. Lu <hjl at gnu.org>
         Lon Hohberger <hohberger at missioncriticallinux.com>

Perhaps I ought to poke  LonBerger :)

-- 
Seeya,
Paul

More information about the gnhlug-discuss mailing list