?
Solved

Need to disable rpc.statd

Posted on 2003-03-04
18
Medium Priority
?
4,838 Views
Last Modified: 2013-12-27
I am attempting to stop rpc.statd from running on a Solaris 9 machine. It is currently running on port 32768/tcp. I have commented it out of the /etc/inetd.conf file. I have also shut down rpc services altogether by moving the S71rpc startup script in /etc/rc2.d/ to .NOS71rpc, a move suggested by a hardening guide I used while configuring the machine. Does anyone know where this deamon is being invoked from? Thanks.
0
Comment
Question by:beeman000
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
18 Comments
 
LVL 3

Expert Comment

by:prasadklk
ID: 8065899
Do you have nfs started on your machine?
0
 
LVL 3

Expert Comment

by:yokel
ID: 8065910
Have you (after commenting out the inetd.conf file and moving S71rpc, rebooted the server? You will need to (or do a kill -1 against the inetd process and running /etc/rc2.d/.NOS71rpc stop)
0
 

Expert Comment

by:roy911
ID: 8065992
Hello,

rpc.statd is used on nfs clients. To stop rpc.statd, you need to examine your /etc/dfs/dfstab to remove mount entries and/or run "/etc/init.d/nfs.client stop" as root.

The following excerpt is taken from the CIAC vulnerability information bulletin as related to statd vulnerabilities :

1) Go into single user mode (ensure rpcbind and statd are not running)

2) Create a new user, e.g., "statd" with a separate uid/gid

3) Chown statd /var/statmon/* /var/statmon/*/*

4) Chgrp statd /var/statmon/* /var/statmon/*/*

5) Edit /etc/init.d/nfs.client startup script and change the start of the
   statd from:

     /usr/lib/nfs/statd > /dev/console 2>&1

   to:

     /usr/bin/su - statd -c "/usr/lib/nfs/statd" > /dev/console 2>&1

6) Reboot the system

I do not know if that is something along the lines of what you wish to do as far as system hardening goes.

regards,

Rahul
0
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

 
LVL 3

Expert Comment

by:jwelter
ID: 8066020
FYI, on my 8 boxes, rpc is also called in /etc/rc0.d, ~/rc1.d, & ~/rcS.d, as K41rpc.  Maybe NFS or a license server is using it?  -Also, /etc/inittab could have a respawn: that is reinvoking it?

Just some thoughts...

JW
0
 

Author Comment

by:beeman000
ID: 8074052
I still cannot get port 32768 closed. I have ensured that nfs is not running. I don not have an inet.conf file, as it has been removed. I am running ssh, and ncftpd so i dont need it. I have ensured that all the startup RPC scripts have been moved, and still no luck. That port remains open....any other suggestions.....
0
 

Expert Comment

by:roy911
ID: 8074228
Run lsof | grep 32768 and identify what process has the port open. Let me know ...

R
0
 

Author Comment

by:beeman000
ID: 8080482
Here is the result of the lsof:

smcboot    238   root    3u  IPv4 0x300002661b0       0t0     TCP *:32768 (LISTEN)

<newline>lsof_4.66 6577   root  txt   VREG          32,7     32768  393548 /usr/lib/locale/en_US.ISO8859-1/sparcv9/en_US.ISO8859-1.so.2
0
 

Author Comment

by:beeman000
ID: 8080495
Here it is again. formatted a little better

smcboot    238   root    3u  IPv4 0x300002661b0       0t0     TCP *:32768 (LISTEN)
lsof_4.66 6577   root  txt   VREG          32,7     32768  393548 /usr/lib/locale/en_US.ISO8859-1/sparcv9/en_US.ISO8859-1.so.2
0
 

Author Comment

by:beeman000
ID: 8080693
Here it is again. formatted a little better

smcboot    238   root    3u  IPv4 0x300002661b0       0t0     TCP *:32768 (LISTEN)
lsof_4.66 6577   root  txt   VREG          32,7     32768  393548 /usr/lib/locale/en_US.ISO8859-1/sparcv9/en_US.ISO8859-1.so.2
0
 

Expert Comment

by:roy911
ID: 8081706
Looks like your culprit is the init.webm script under /etc/init.d directory.
 
This excerpt is taken from the bigadmin website ...

-----------BEGIN--------------------------
In Solaris Management Console 2.0, it is possible to stumble into catch-22 situation where init.wbem stop indicates the server is not running, yet init.wbem start indicates it already is! One way for this to happen is to run /etc/init.d/init.wbem start when smcboot is running. Other ways would be if the server daemon crashed or was manually killed.  Effective with Solaris Management Console 2.1, this situation should occur much less frequently.  However, if you find yourself in this situation, implement the following steps:

1. su root
2. kill all instances of the smcboot process (if any are  running)
3. kill all instances of the cimomboot process (if any are running)
4. kill all instances of Solaris Management Console-related JVMs. These will contain either "-Dviper.fifo.path=" or "-Djava.security.policy=" in their command paths.
5. rm -rf /tmp/smc <port> where <port> is usually 898   (Solaris Management Console 2.0)
6. rm -rf /var/run/smc <port> where <port> is usually 898   (Solaris Management Console 2.1)

Then with Solaris Management Console 2.0, invoking /etc/init.d/init.wbem start will successfully start the smcboot process, and the server will be available upon the next connection from the console.
Effective with 2.1, the above steps should not be required if the server becomes unstable for whatever reason. Instead, you should be able to simply run /etc/init.d/init.wbem stop (which will automatically perform the above steps), followed by /etc/init.d/init.wbem start and the server should be back up.

--------------------END------------------------

Since you do not want to bring it back up, you need to examine the /etc/init.d/init.webm script in detail and see what is being invoked in there. Also, there should be a link in one of the rc*.d directories to this script which would be a start script - that needs to be renamed/deleted along with the corresponding kill script.

Let me know if that worked for you ...


RR
0
 

Author Comment

by:beeman000
ID: 8082032
Ok...so I went through, and removed/disabled everything in
the above posting. I rebooted the machine, confirmed that smcboot process was no longer running, and then ran an nmap again. Of course...the port was still open. Argh! So i ran lsof again and got the following results:

dtlogin   283   root    7u  IPv4 0x30000cffe38       0t0     TCP *:32768 (LISTEN)
lsof      484   root  txt   VREG          32,7     32768  393548 /usr/lib/locale/en_US.ISO8859-1/sparcv9/en_US.ISO8859-1.so.2

So now it would appear that dtlogin has replaced the smc process. Now I understand I could disable dtlogin, but then I couldn't use CDE right? Any ideas on why this happened or what to do.....

Thanks.
0
 

Expert Comment

by:roy911
ID: 8082161
See - the problem here is that 32768 is the start of the "higher" ports in Solaris - the port # you mention will be assigned to some random process or the other - that is what is happening in your case. I am sure if you disable CDE, the next time you will see some other service get a hold of that very port number.

regards,

RR
0
 

Author Comment

by:beeman000
ID: 8082904
So there is no way to really close this port then?
0
 

Expert Comment

by:roy911
ID: 8083028
Here is your solution, please read ndd manpage before attempting. Also, if other people share this machine with you, speaking to them prior to making the mods will be a good thing. In short what you are doing is cutting down the dynamically assigned ports which are handed out by the kernel.

In Solaris, the available range of TCP/IP ports is 0 to 65535. However,
there are some restrictions that apply:

Ports in the range 0 to 1023 are reserved for privileged (root) services,
such as telnetd, ftpd, and so on.

Ports in the range 1024 to tcp_smallest_anon_port-1 are used for user
services such as NFS server daemon, FONT server, and so on.

This leaves the range 32768 to 65535 available for general TCP/IP connections.
To limit the range of the port numbers allocated for the general use,
the following two ndd(1M) parameters can be used:

tcp_smallest_anon_port:

This determines the smallest TCP port number that may be used for an anonymous
connection. Solaris allocates anonymous ports above 32768. The default value
is 32768.

tcp_largest_anon_port:

This is the largest TCP port number that may be used for anonymous connections.
The default
value of this is 65535.

For example, to restrict the port numbers which are assigned in the range
40000 and 60000, do the following:


ndd -set /dev/tcp tcp_smallest_anon_port 40000
ndd -set /dev/tcp tcp_largest_anon_port 60000


This, however, affects only those programs which ask the kernel for a port
but not specifically bind() to a port. For example, if a connect() is called
without
a bind() or with 0 specified as the port for the bind(), the port assigned
would fall between the values specified by the above mentioned ndd parameters.

Note: The ndd parameters set in the above mentioned manner would
reset to default values when the system reboots. To make the changes permanent,
call the above commands through the startup scripts in /etc/rc2.d.

Setting any parameters may affect the entire machine and may involve some
tradeoffs. In general, the defaults set by Solaris are optimal for most
situations. It is easy to break portions of TCP if you set the parameters
incorrectly.
0
 

Author Comment

by:beeman000
ID: 8083214
Roy911,
Thanks for all of your help on this matter. It is greatly appreciated. I have just one other question. This machine is sole function is a web server, and ftp server. I have ssh running on it, as well as mysql. I would like nothing more than to have just the ports associated with these entities open and no other ports open. Is that possible? Will there always be some high numbered port that is binding to whatever process may need it? I am slightly confused about the necessity of port 32768 being open. The only port that is showing up other than the priorly mentioned ones is 32768. So it seems to me dtlogin was doing fine having not binded to this port. There were no other ports showing up on nmaps then, and dtlogin was still running. Is it possible to close off the high-end ports and still have a functioning machine?
Thanks again for all of your help on this matter
0
 

Accepted Solution

by:
roy911 earned 200 total points
ID: 8083908
Glad that I could be of some help to you. If you look at my previous posting, you will see that port 32768 is the first numbered "high" port. The kernel hands out dynamic ports on a need to use basis to applications requesting - in your example it so happened that the kernel handed out that port to dtlogin as it was the first one requesting an anonymous port for communication. What you could do is to quantify what extraneous ports are running on your system by running the netstat utility. Run netstat after rebooting the server after all your processes are up and running to get an idea of which process is using anonymous ports. Then by selectively narrowing your offering of anonymous ports, you could control any open ports (in a way). It is possible to shut down all other ports not in use .... but before doing that you will need to "characterize" your system ...

Running netstat to discover open ports after an interval of time and comparing with a previous run, you will be able to find out whether anonymous ports are in use or not.
Thus, a combination of lsof + netstat will be able to quantify what is going on on your system. If this is a production server, the port filtering should be happening at the firewall level in any case.

regards

RR
0
 
LVL 18

Expert Comment

by:liddler
ID: 10475079
No comment has been added lately, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question is:

Answered by roy911

Please leave any comments here within the next four days.

PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

liddler
EE Cleanup Volunteer
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In tuning file systems on the Solaris Operating System, changing some parameters of a file system usually destroys the data on it. For instance, changing the cache segment block size in the volume of a T3 requires that you delete the existing volu…
Installing FreeBSD… FreeBSD is a darling of an operating system. The stability and usability make it a clear choice for servers and desktops (for the cunning). Savvy?  The Ports collection makes available every popular FOSS application and packag…
This video shows how to set up a shell script to accept a positional parameter when called, pass that to a SQL script, accept the output from the statement back and then manipulate it in the Shell.
In a previous video, we went over how to export a DynamoDB table into Amazon S3.  In this video, we show how to load the export from S3 into a DynamoDB table.
Suggested Courses

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question