HPE Community
Operating System - HP-UX
1834987 Members
2015 Online
110073 Solutions
New Discussion

nmap serviceguard cluster

 
SOLVED
Go to solution
jpcast_real
Regular Advisor

‎01-16-2008 08:49 AM

‎01-16-2008 08:49 AM

nmap serviceguard cluster

We have discoverd that in the ServiceGuard release 11.16 , with the nmap tool, the cluster cmclconfd daemons gets hung.

Does anyone has had this problem before?? I knew it from old SG releases but not in the 11.16. Is there any patch to solve it???

Is it solved in the 11.17???

I have read also in the 11.17:

JAGaf30745 (SR8606370323): nmap on hacl-cfg/udp port causes inetd looping, cmclconfd problem

What was the problem? This message appears in syslog:
inetd[891]: hacl-cfg/udp: Server failing (looping),
service terminated.

What was the resolution? Receive the message even if it is invalid, then discard it.


Here rests one who was not what he wanted and didn't want what he was
0 Kudos
Reply
2 REPLIES 2
Duncan Edmonstone
HPE Pro

‎01-16-2008 09:22 AM

‎01-16-2008 09:22 AM

Re: nmap serviceguard cluster

Javier,

The resolution was in patch PHSS_34503:

___________________
6. UDP messages were not marked as invalid even if there
were invalid values for length and offset fields in the
message, causing cmclconfd to exit without receiving
the message and/or cmviewcl to spin indefinitely. In
the cmclconfd case the message hence remains in the
inetd socket buffer causing inetd to spawn another
cmclconfd server. This is repeated until it reaches 40
servers in 60 seconds when it terminates the service
and only reinstates the service again after 10 minutes.

Resolution:
Mark the message as invalid if the length and offset
fields in the message contained improper values.

___________________


That patch is now superseded - the reccomended patch for 11.16 is PHSS_36466

HTH

Duncan

I am an HPE Employee
Accept or Kudo
Reply
Armin Kunaschik
Esteemed Contributor

‎01-17-2008 04:02 AM

‎01-17-2008 04:02 AM

Solution

Re: nmap serviceguard cluster

You should, in addition to the patch installation, add hacl-cfg to /var/inetd.sec like:
hacl-cfg allow cluster_node(s)

Even if there will be another port scan/ problem, the connection is simply denied.

My 2 cents,
Armin
And now for something completely different...
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.