Debian Lenny 5.0: Bind RPC port mapper portmap to local loopback

By default on Debian Lenny the portmap service listens on UDP port 111. For security reasons it could by reasonable to prevent portmap from opening the port if you do not run services like NFS or NIS services that depend on a RPC port mapper like portmap.
One way to to disable the open port is to bind the portmap service to the local loopback by uncommenting the following line in /etc/default/portmap:

OPTIONS="-i 127.0.0.1"

and restarting the portmap service:

# /etc/init.d/portmap restart

To test if the portmap service listens on the public port you can either use netstat:

# netstat -tulpen | grep portmap
 
# output if portmap is NOT bind to 127.0.0.1
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      0          4166        960/portmap
udp        0      0 0.0.0.0:111             0.0.0.0:*                           0          4162        960/portmap
 
# output if portmap is bind to 127.0.0.1
tcp        0      0 127.0.0.1:111           0.0.0.0:*               LISTEN      0          1822373     19764/portmap
udp        0      0 127.0.0.1:111           0.0.0.0:*                           0          1822372     19764/portmap

or rpcinfo from a remote client:

# rpcinfo -p YOUR_HOST

Of course you could also remove the portmap package (if there are nor dependencies) or use a firewall to reject connections on port 111.

Comments

    Leave a comment

    Your email address will not be published. Required fields are marked *

    *