Securing Portmap service

The portmap service is a dynamic port assignment daemon for RPC services such as NIS and NFS. It has weak authentication mechanisms and has the ability to assign a wide range of ports for the services it controls. For these reasons, it is difficult to secure.

NFSv4 no longer requires it. If you plan to implement a NFSv2 or NFSv3 server, then portmap is required.

It is important to use TCP wrappers to limit which networks or hosts have access to the portmap service since it has no built-in form of authentication.

Further, use only IP addresses when limiting access to the service. Avoid using hostnames, asthey can be forged via DNS poisoning and other methods.

Below are two example IPTables commands that allow TCP connections to the portmap service (listening on port 111) from the 192.168.0/24 network and from the localhost. All other packets are dropped.

iptables -A INPUT -p tcp -s! 192.168.0.0/24 –dport 111 -j DROP iptables -A INPUT -p tcp -s

To similarly limit UDP traffic, use the following command.

iptables -A INPUT -p udp -s! 192.168.0.0/24 –dport 111 -j DROP

Trackback URI | Comments RSS

Leave a Reply

You must be logged in to post a comment.