Friday, November 15, 2019

who is accessing my nis server?

 
 first, figure out the port the nis daemon (ypserv) is running on:  
   
 # rpcinfo -p|grep ypserv  
   100004  2  udp  951 ypserv  
   100004  1  udp  951 ypserv  
   100004  2  tcp  954 ypserv  
   100004  1  tcp  954 ypserv  
   
 gather up all the clients talking to the daemon:  
   
 # tcpdump -n -n port 951 or port 954  
   
 the output will look like this:  
   
 10:55:35.482333 IP 6.6.6.6.951 > 9.9.9.107.729: UDP, length 28  
 10:55:38.099478 IP 9.9.9.173.1013 > 6.6.6.6.951: UDP, length 64  
 10:55:38.099631 IP 6.6.6.6.951 > 9.9.9.173.1013: UDP, length 28  
 10:55:55.483328 IP 9.9.9.107.730 > 6.6.6.6.951: UDP, length 64  
 10:55:55.483491 IP 6.6.6.6.951 > 9.9.9.107.730: UDP, length 28  
 10:56:15.484442 IP 9.9.9.107.731 > 6.6.6.6.951: UDP, length 64  
 10:56:15.484747 IP 6.6.6.6.951 > 9.9.9.107.731: UDP, length 28  
 10:56:18.443343 IP 9.9.9.173.50256 > 6.6.6.6.951: UDP, length 140  
 10:56:18.443468 IP 6.6.6.6.951 > 9.9.9.173.50256: UDP, length 28  
 10:56:35.485748 IP 9.9.9.107.732 > 6.6.6.6.951: UDP, length 64  
 10:56:35.485920 IP 6.6.6.6.951 > 9.9.9.107.732: UDP, length 28  
   
 the ip address with 951 or 954 is the nis server.  
   
 in this case, our clients are:  
 9.9.9.107 & 9.9.9.173  
   
 what do if you don't have tcpdump? go straight to the source!  
 this nis server is older than dirt. good thing there are some old versions  
 of tcpdump and libpcap that are compatible with the kernel...  
   
 wget http://www.tcpdump.org/release/tcpdump-3.9.5.tar.gz  
 wget http://www.tcpdump.org/release/libpcap-0.9.6.tar.gz  
   
 tar xvfz and away you go.  

1 comment:

ian said...

yes. we can run ypserv -d ; but we don't want to HUP the daemon.