Need to disable rpc.statd

I am attempting to stop rpc.statd from running on a Solaris 9 machine. It is currently running on port 32768/tcp. I have commented it out of the /etc/inetd.conf file. I have also shut down rpc services altogether by moving the S71rpc startup script in /etc/rc2.d/ to .NOS71rpc, a move suggested by a hardening guide I used while configuring the machine. Does anyone know where this deamon is being invoked from? Thanks.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Do you have nfs started on your machine?
Have you (after commenting out the inetd.conf file and moving S71rpc, rebooted the server? You will need to (or do a kill -1 against the inetd process and running /etc/rc2.d/.NOS71rpc stop)

rpc.statd is used on nfs clients. To stop rpc.statd, you need to examine your /etc/dfs/dfstab to remove mount entries and/or run "/etc/init.d/nfs.client stop" as root.

The following excerpt is taken from the CIAC vulnerability information bulletin as related to statd vulnerabilities :

1) Go into single user mode (ensure rpcbind and statd are not running)

2) Create a new user, e.g., "statd" with a separate uid/gid

3) Chown statd /var/statmon/* /var/statmon/*/*

4) Chgrp statd /var/statmon/* /var/statmon/*/*

5) Edit /etc/init.d/nfs.client startup script and change the start of the
   statd from:

     /usr/lib/nfs/statd > /dev/console 2>&1


     /usr/bin/su - statd -c "/usr/lib/nfs/statd" > /dev/console 2>&1

6) Reboot the system

I do not know if that is something along the lines of what you wish to do as far as system hardening goes.


Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

FYI, on my 8 boxes, rpc is also called in /etc/rc0.d, ~/rc1.d, & ~/rcS.d, as K41rpc.  Maybe NFS or a license server is using it?  -Also, /etc/inittab could have a respawn: that is reinvoking it?

Just some thoughts...

beeman000Author Commented:
I still cannot get port 32768 closed. I have ensured that nfs is not running. I don not have an inet.conf file, as it has been removed. I am running ssh, and ncftpd so i dont need it. I have ensured that all the startup RPC scripts have been moved, and still no luck. That port remains open....any other suggestions.....
Run lsof | grep 32768 and identify what process has the port open. Let me know ...

beeman000Author Commented:
Here is the result of the lsof:

smcboot    238   root    3u  IPv4 0x300002661b0       0t0     TCP *:32768 (LISTEN)

<newline>lsof_4.66 6577   root  txt   VREG          32,7     32768  393548 /usr/lib/locale/en_US.ISO8859-1/sparcv9/
beeman000Author Commented:
Here it is again. formatted a little better

smcboot    238   root    3u  IPv4 0x300002661b0       0t0     TCP *:32768 (LISTEN)
lsof_4.66 6577   root  txt   VREG          32,7     32768  393548 /usr/lib/locale/en_US.ISO8859-1/sparcv9/
beeman000Author Commented:
Here it is again. formatted a little better

smcboot    238   root    3u  IPv4 0x300002661b0       0t0     TCP *:32768 (LISTEN)
lsof_4.66 6577   root  txt   VREG          32,7     32768  393548 /usr/lib/locale/en_US.ISO8859-1/sparcv9/
Looks like your culprit is the init.webm script under /etc/init.d directory.
This excerpt is taken from the bigadmin website ...

In Solaris Management Console 2.0, it is possible to stumble into catch-22 situation where init.wbem stop indicates the server is not running, yet init.wbem start indicates it already is! One way for this to happen is to run /etc/init.d/init.wbem start when smcboot is running. Other ways would be if the server daemon crashed or was manually killed.  Effective with Solaris Management Console 2.1, this situation should occur much less frequently.  However, if you find yourself in this situation, implement the following steps:

1. su root
2. kill all instances of the smcboot process (if any are  running)
3. kill all instances of the cimomboot process (if any are running)
4. kill all instances of Solaris Management Console-related JVMs. These will contain either "-Dviper.fifo.path=" or "" in their command paths.
5. rm -rf /tmp/smc <port> where <port> is usually 898   (Solaris Management Console 2.0)
6. rm -rf /var/run/smc <port> where <port> is usually 898   (Solaris Management Console 2.1)

Then with Solaris Management Console 2.0, invoking /etc/init.d/init.wbem start will successfully start the smcboot process, and the server will be available upon the next connection from the console.
Effective with 2.1, the above steps should not be required if the server becomes unstable for whatever reason. Instead, you should be able to simply run /etc/init.d/init.wbem stop (which will automatically perform the above steps), followed by /etc/init.d/init.wbem start and the server should be back up.


Since you do not want to bring it back up, you need to examine the /etc/init.d/init.webm script in detail and see what is being invoked in there. Also, there should be a link in one of the rc*.d directories to this script which would be a start script - that needs to be renamed/deleted along with the corresponding kill script.

Let me know if that worked for you ...

beeman000Author Commented: I went through, and removed/disabled everything in
the above posting. I rebooted the machine, confirmed that smcboot process was no longer running, and then ran an nmap again. Of course...the port was still open. Argh! So i ran lsof again and got the following results:

dtlogin   283   root    7u  IPv4 0x30000cffe38       0t0     TCP *:32768 (LISTEN)
lsof      484   root  txt   VREG          32,7     32768  393548 /usr/lib/locale/en_US.ISO8859-1/sparcv9/

So now it would appear that dtlogin has replaced the smc process. Now I understand I could disable dtlogin, but then I couldn't use CDE right? Any ideas on why this happened or what to do.....

See - the problem here is that 32768 is the start of the "higher" ports in Solaris - the port # you mention will be assigned to some random process or the other - that is what is happening in your case. I am sure if you disable CDE, the next time you will see some other service get a hold of that very port number.


beeman000Author Commented:
So there is no way to really close this port then?
Here is your solution, please read ndd manpage before attempting. Also, if other people share this machine with you, speaking to them prior to making the mods will be a good thing. In short what you are doing is cutting down the dynamically assigned ports which are handed out by the kernel.

In Solaris, the available range of TCP/IP ports is 0 to 65535. However,
there are some restrictions that apply:

Ports in the range 0 to 1023 are reserved for privileged (root) services,
such as telnetd, ftpd, and so on.

Ports in the range 1024 to tcp_smallest_anon_port-1 are used for user
services such as NFS server daemon, FONT server, and so on.

This leaves the range 32768 to 65535 available for general TCP/IP connections.
To limit the range of the port numbers allocated for the general use,
the following two ndd(1M) parameters can be used:


This determines the smallest TCP port number that may be used for an anonymous
connection. Solaris allocates anonymous ports above 32768. The default value
is 32768.


This is the largest TCP port number that may be used for anonymous connections.
The default
value of this is 65535.

For example, to restrict the port numbers which are assigned in the range
40000 and 60000, do the following:

ndd -set /dev/tcp tcp_smallest_anon_port 40000
ndd -set /dev/tcp tcp_largest_anon_port 60000

This, however, affects only those programs which ask the kernel for a port
but not specifically bind() to a port. For example, if a connect() is called
a bind() or with 0 specified as the port for the bind(), the port assigned
would fall between the values specified by the above mentioned ndd parameters.

Note: The ndd parameters set in the above mentioned manner would
reset to default values when the system reboots. To make the changes permanent,
call the above commands through the startup scripts in /etc/rc2.d.

Setting any parameters may affect the entire machine and may involve some
tradeoffs. In general, the defaults set by Solaris are optimal for most
situations. It is easy to break portions of TCP if you set the parameters
beeman000Author Commented:
Thanks for all of your help on this matter. It is greatly appreciated. I have just one other question. This machine is sole function is a web server, and ftp server. I have ssh running on it, as well as mysql. I would like nothing more than to have just the ports associated with these entities open and no other ports open. Is that possible? Will there always be some high numbered port that is binding to whatever process may need it? I am slightly confused about the necessity of port 32768 being open. The only port that is showing up other than the priorly mentioned ones is 32768. So it seems to me dtlogin was doing fine having not binded to this port. There were no other ports showing up on nmaps then, and dtlogin was still running. Is it possible to close off the high-end ports and still have a functioning machine?
Thanks again for all of your help on this matter
Glad that I could be of some help to you. If you look at my previous posting, you will see that port 32768 is the first numbered "high" port. The kernel hands out dynamic ports on a need to use basis to applications requesting - in your example it so happened that the kernel handed out that port to dtlogin as it was the first one requesting an anonymous port for communication. What you could do is to quantify what extraneous ports are running on your system by running the netstat utility. Run netstat after rebooting the server after all your processes are up and running to get an idea of which process is using anonymous ports. Then by selectively narrowing your offering of anonymous ports, you could control any open ports (in a way). It is possible to shut down all other ports not in use .... but before doing that you will need to "characterize" your system ...

Running netstat to discover open ports after an interval of time and comparing with a previous run, you will be able to find out whether anonymous ports are in use or not.
Thus, a combination of lsof + netstat will be able to quantify what is going on on your system. If this is a production server, the port filtering should be happening at the firewall level in any case.



Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
No comment has been added lately, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question is:

Answered by roy911

Please leave any comments here within the next four days.


EE Cleanup Volunteer
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Unix OS

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.