On Mon, 4 Aug 2003 08:53:27 -0500 (CDT), Benjamin J. Weiss wrote > > On Mon, 2003-08-04 at 09:22, Mike Vanecek wrote: > > > I am starting to see more packets to port 135 in my log (default reject). They > > > seem to be from all over. The definition of the port is: > > > > > > # Mike Berrow <---none---> > > > epmap 135/tcp DCE endpoint resolution > > > epmap 135/udp DCE endpoint resolution > > > > > > Would someone please tell me the significance of epmap and whether I should > > > have it enabled? > > > > If you don't know that you need it, and everything is working, YOU DON'T > > NEED IT. I always tell my clients, "don't be worried about what you CAN > > see... be worried about what you CANNOT see". In your case, you should > > definitely be blocking 135 at your external interface, and likely, at > > your internal interface (don't want netbeui broadcasts being sent > > outbound). > > > > Port 135 is part of the SMB suite of protocols (135/137/138/139/445) > > that are used for Windows networking. Even if you ARE using SMB shares > > inside your LAN, you shouldn't be allowing them to pass through your > > firewall. In my case, I have a distinct rule to drop them and NOT log > > (too much noise). > > You are probably seeing attempts to exploit the new Microsoft RPC > Interface attack. (http://www.cert.org/advisories/CA-2003-19.html)
Thank you for the reference. > There is no valid reason to allow the SMB ports through your > firewall. If you're interested in seeing who's attacking you, you > could implement an Intrusion Detection System (IDS) like Snort > (http://www.snort.org), otherwise, you should probably just put in > the rule that Jason suggested above. Thank you for the reply. I have enabled just those smb ports needed for the LAN. All others are blocked. I log all packets not explicitly blocked or accepted. Hence, I was seeing the 135 info in my iptables log along with their source ip info. I suspect the iptables log gives me enough information so I probably do not need something like Snort? -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED] https://www.redhat.com/mailman/listinfo/redhat-list
