> On Mon, 2003-08-04 at 09:22, Mike Vanecek wrote: > > I am starting to see more packets to port 135 in my log (default reject). They > > seem to be from all over. The definition of the port is: > > > > # Mike Berrow <---none---> > > epmap 135/tcp DCE endpoint resolution > > epmap 135/udp DCE endpoint resolution > > > > Would someone please tell me the significance of epmap and whether I should > > have it enabled? > > If you don't know that you need it, and everything is working, YOU DON'T > NEED IT. I always tell my clients, "don't be worried about what you CAN > see... be worried about what you CANNOT see". In your case, you should > definitely be blocking 135 at your external interface, and likely, at > your internal interface (don't want netbeui broadcasts being sent > outbound). > > Port 135 is part of the SMB suite of protocols (135/137/138/139/445) > that are used for Windows networking. Even if you ARE using SMB shares > inside your LAN, you shouldn't be allowing them to pass through your > firewall. In my case, I have a distinct rule to drop them and NOT log > (too much noise).
You are probably seeing attempts to exploit the new Microsoft RPC Interface attack. (http://www.cert.org/advisories/CA-2003-19.html) There is no valid reason to allow the SMB ports through your firewall. If you're interested in seeing who's attacking you, you could implement an Intrusion Detection System (IDS) like Snort (http://www.snort.org), otherwise, you should probably just put in the rule that Jason suggested above. Ben -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED] https://www.redhat.com/mailman/listinfo/redhat-list
