Omnilabo
asked on
localhost to localhost udp port 111 unreachable - I don't use any rpc ?!
I have a Linux Server which has been running fine for years, but when I did a tcpdump to log a day I noticed something strange :
14:47:09.307333 127.0.0.1.1003 > 127.0.0.1.111: udp 56
14:47:09.307333 127.0.0.1.1003 > 127.0.0.1.111: udp 56
14:47:09.307333 127.0.0.1 > 127.0.0.1: icmp: 127.0.0.1 udp port 111 unreachable [tos 0xc0]
14:47:09.307333 127.0.0.1 > 127.0.0.1: icmp: 127.0.0.1 udp port 111 unreachable [tos 0xc0]
The server is used for DNS, web (http and ftp). If anyone has any idea of what I might have misconfigured, or how I can disable the port 111 requests?
Thanks in advance,
Me
14:47:09.307333 127.0.0.1.1003 > 127.0.0.1.111: udp 56
14:47:09.307333 127.0.0.1.1003 > 127.0.0.1.111: udp 56
14:47:09.307333 127.0.0.1 > 127.0.0.1: icmp: 127.0.0.1 udp port 111 unreachable [tos 0xc0]
14:47:09.307333 127.0.0.1 > 127.0.0.1: icmp: 127.0.0.1 udp port 111 unreachable [tos 0xc0]
The server is used for DNS, web (http and ftp). If anyone has any idea of what I might have misconfigured, or how I can disable the port 111 requests?
Thanks in advance,
Me
ASKER
Erm, I have no firewall set up on the Server. Thank you for pointing that out.
Now, back to what my question really was:
Why does my server try to connect to itself using port 111 ?
Nothing to see in the netstat :
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:81 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:23 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN
tcp 0 96 1.2.3.4:22 192.168.1.68:1949 ESTABLISHED
tcp 1 0 1.2.3.4:19526 213.130.130.203:25 TIME_WAIT
tcp 1 0 1.2.3.4:110 80.200.15.86:2199 TIME_WAIT
tcp 1 0 1.2.3.4:110 192.168.1.241:1055 TIME_WAIT
udp 0 0 127.0.0.1:53 0.0.0.0:*
udp 0 0 1.2.3.4:53 0.0.0.0:*
udp 0 0 0.0.0.0:53 0.0.0.0:*
raw 0 0 0.0.0.0:1 0.0.0.0:*
(real ip adress changed to 1.2.3.4 for obvious reasons)
Now, back to what my question really was:
Why does my server try to connect to itself using port 111 ?
Nothing to see in the netstat :
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:81 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:23 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN
tcp 0 96 1.2.3.4:22 192.168.1.68:1949 ESTABLISHED
tcp 1 0 1.2.3.4:19526 213.130.130.203:25 TIME_WAIT
tcp 1 0 1.2.3.4:110 80.200.15.86:2199 TIME_WAIT
tcp 1 0 1.2.3.4:110 192.168.1.241:1055 TIME_WAIT
udp 0 0 127.0.0.1:53 0.0.0.0:*
udp 0 0 1.2.3.4:53 0.0.0.0:*
udp 0 0 0.0.0.0:53 0.0.0.0:*
raw 0 0 0.0.0.0:1 0.0.0.0:*
(real ip adress changed to 1.2.3.4 for obvious reasons)
111/udp is the portmapper, which is used by NFS and other things that use RPC. The localhost traffic doesn't present a security risk as the kernel will ensure that the localhost IP (127.0.0.1) can't be abused from outside. This of course presumes that your Linux system is fully up to date w/respect to the vendor's security updates.
If you don't use NFS or anything else that needs RPC services you can disable the portmapper. But even if you do you really need all security updates in place and should have a very tight firewall running. The IPtables firewall that I use on RedHat servers can be seen at http://www.entrophy-free.net/tools/iptables-host
If you don't use NFS or anything else that needs RPC services you can disable the portmapper. But even if you do you really need all security updates in place and should have a very tight firewall running. The IPtables firewall that I use on RedHat servers can be seen at http://www.entrophy-free.net/tools/iptables-host
ASKER
I tried not loading NFS at startup, but I got one extra error message
08:36:01.007316 127.0.0.1.957 > 127.0.0.1.111: udp 56
08:36:01.007316 127.0.0.1.957 > 127.0.0.1.111: udp 56
08:36:01.007316 127.0.0.1 > 127.0.0.1: icmp: 127.0.0.1 udp port 111 unreachable [tos 0xc0]
08:36:01.007316 127.0.0.1 > 127.0.0.1: icmp: 127.0.0.1 udp port 111 unreachable [tos 0xc0]
08:36:01.447316 127.0.0.1.1229 > 127.0.0.1.512: udp 34
08:36:01.447316 127.0.0.1.1229 > 127.0.0.1.512: udp 34
08:36:01.447316 127.0.0.1 > 127.0.0.1: icmp: 127.0.0.1 udp port 512 unreachable [tos 0xc0]
08:36:01.447316 127.0.0.1 > 127.0.0.1: icmp: 127.0.0.1 udp port 512 unreachable [tos 0xc0]
08:36:01.007316 127.0.0.1.957 > 127.0.0.1.111: udp 56
08:36:01.007316 127.0.0.1.957 > 127.0.0.1.111: udp 56
08:36:01.007316 127.0.0.1 > 127.0.0.1: icmp: 127.0.0.1 udp port 111 unreachable [tos 0xc0]
08:36:01.007316 127.0.0.1 > 127.0.0.1: icmp: 127.0.0.1 udp port 111 unreachable [tos 0xc0]
08:36:01.447316 127.0.0.1.1229 > 127.0.0.1.512: udp 34
08:36:01.447316 127.0.0.1.1229 > 127.0.0.1.512: udp 34
08:36:01.447316 127.0.0.1 > 127.0.0.1: icmp: 127.0.0.1 udp port 512 unreachable [tos 0xc0]
08:36:01.447316 127.0.0.1 > 127.0.0.1: icmp: 127.0.0.1 udp port 512 unreachable [tos 0xc0]
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ahh, thanks. You might ask why I did just the oppsite of that, well I just try to see what it should do. I checked if portmap gets loaded at startup (rc?.d folders). To my amazement it is not loaded in the third 'stage'. So I added it and now the server seems to be happely communicating to itself (why; I don't know.)
11:52:13.577334 localhost.1014 > localhost.sunrpc: udp 56
11:52:13.577334 localhost.1014 > localhost.sunrpc: udp 56
11:52:13.577334 localhost.sunrpc > localhost.1014: udp 28
11:52:13.577334 localhost.sunrpc > localhost.1014: udp 28
11:52:13.577334 localhost.1014 > localhost.sunrpc: udp 56
11:52:13.577334 localhost.1014 > localhost.sunrpc: udp 56
11:52:13.577334 localhost.sunrpc > localhost.1014: udp 28
11:52:13.577334 localhost.sunrpc > localhost.1014: udp 28
maybe with iptables?
iptables -A INPUT -s0/0 --sport 111 -j REJECT or DROP
iptables -A OUTPUT -d 0/0 --dport 111 -j REJECT or DROP