Securing Portmap
The portmap service is a dynamic port assignment
daemon for RPC services such as NIS and NFS. It has weak authentication
mechanisms and has the ability to assign a wide range of ports for the
services it controls. For these reasons, it is difficult to secure.
If you are running RPC services, you should follow some basic rules.
Protect portmap With TCP Wrappers
It is important to use TCP wrappers to limit which networks or hosts
have access to the portmap service since it has no
built-in form of authentication.
Further, use only IP addresses when limiting
access to the service. Avoid these hostnames as they can be more via
DNS poisoning and other methods.
Protect portmap With
iptables
To further restrict access to the portmap service,
it is a good idea to add iptables rules to the
server, restricting access to specific networks.
Below is an example of an iptables command that
allows TCP connections to portmap, listening on
port 111, from the 192.168.0/24 network exclusively. All other packets
are dropped.
iptables -A INPUT -p tcp -s! 192.168.0.0/24 --dport 111 -j DROP |
To similarly limit UDP traffic, use the following command.
iptables -A INPUT -p udp -s! 192.168.0.0/24 --dport 111 -j DROP |
