Q. How do I secure the portmap service? I am using Debian Linux.

A. According to wikipedia, “Portmap is server software running under Unix-like systems that converts RPC program numbers into DARPA protocol port numbers. Its design objective was to minimize the number of ports in use, but this never happened as it never had wide adoption. It must be running in order to make RPC calls.

When an RPC server is started, it will tell portmap what port number it is listening to, and what RPC program numbers it is prepared to serve. When a client wishes to make an RPC call to a given program number, it will first ontact portmap on the server machine to determine the port number where RPC packets should be sent.

It is extensively used by NIS, NFS, and FAM. It is used to assign a dynamic port to NIS and NFS.

You can protect portmap with:
=> TCP Wrappers

=> Iptables

TCP Wrappers

If you’re going to protect the portmapper use the name “portmap” for the daemon name. Remember that you can only use the keyword “ALL” and IP addresses (NOT host or domain names) for the portmapper, as well as for rpc.mountd (the NFS mount daemon).
Open /etc/hosts.allow file:
# vi /etc/hosts.allow
Sample entires for portmap server to allow access from 192.168.1.0/24 only.
sshd : ALL
portmap : 192.168.1.0/24

Save and close the file.

IPTables portmap rules

Portmap listens on port 111. Add following rules to your iptables:

Drop UPD port 111 packets if they are not from 192.168.1.0/24
iptables -A INPUT -p udp -s! 192.168.1.0/24 --dport 111 -j DROP

Drop TCP port 111 packets if they are not from 192.168.1.0/24 and localhost (127.0.0.1)
iptables -A INPUT -p tcp -s! 192.168.1.0/24 --dport 111 -j DROP
iptables -A INPUT -p tcp -s 127.0.0.1 --dport 111 -j ACCEPT

For more information refer to following man pages:
man iptables
man tcpd
man 5 hosts_access
man portmap


🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 3 comments so far... add one


CategoryList of Unix and Linux commands
Disk space analyzersdf duf ncdu pydf
File Managementcat cp mkdir tree
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Modern utilitiesbat exa
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg glances gtop jobs killall kill pidof pstree pwdx time vtop
Searchingag grep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
3 comments… add one
  • Ronald Nov 19, 2008 @ 13:32

    Hi,

    Thank you for this quick and easy guide. It’s much appreciated!

    Ronald.

  • Rober Aug 5, 2016 @ 11:35

    iptables -A INPUT -p udp -s! 192.168.1.0/24 –dport 111 -j DROP
    returns Bad argument em network address.

  • Denis Aug 22, 2016 @ 13:43

    Actually the syntax is … ! -s … and not … -s! …, the exclamation mark must stand alone in front of the -s option.

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum