Manualshelf

User guide

ManualsBrandsRed Hat ManualsOtherENTERPRISE LINUX 4 - SELINUX GUIDE
51525354555657585960
Chapter 2. Securing Your Network
42
2.2.2. Securing Portmap
The portmap service is a dynamic port assignment daemon for RPC services such as NIS and NFS.
It has weak authentication mechanisms and has the ability to assign a wide range of ports for the
services it controls. For these reasons, it is difficult to secure.
Note
Securing portmap only affects NFSv2 and NFSv3 implementations, since NFSv4 no longer
requires it. If you plan to implement an NFSv2 or NFSv3 server, then portmap is required, and
the following section applies.
If running RPC services, follow these basic rules.
2.2.2.1. Protect portmap With TCP Wrappers
It is important to use TCP Wrappers to limit which networks or hosts have access to the portmap
service since it has no built-in form of authentication.
Further, use only IP addresses when limiting access to the service. Avoid using hostnames, as they
can be forged by DNS poisoning and other methods.
2.2.2.2. Protect portmap With iptables
To further restrict access to the portmap service, it is a good idea to add iptables rules to the server
and restrict access to specific networks.
Below are two example iptables commands. The first allows TCP connections to the port 111 (used by
the portmap service) from the 192.168.0.0/24 network. The second allows TCP connections to the
same port from the localhost. This is necessary for the sgi_fam service used by Nautilus. All other
packets are dropped.
iptables -A INPUT -p tcp ! -s 192.168.0.0/24 --dport 111 -j DROP
iptables -A INPUT -p tcp -s 127.0.0.1 --dport 111 -j ACCEPT
To similarly limit UDP traffic, use the following command.
iptables -A INPUT -p udp ! -s 192.168.0.0/24 --dport 111 -j DROP
Note
Refer to Section 2.5, “Firewalls” for more information about implementing firewalls with iptables
commands.
2.2.3. Securing NIS
The Network Information Service (NIS) is an RPC service, called ypserv, which is used in
conjunction with portmap and other related services to distribute maps of usernames, passwords,
and other sensitive information to any computer claiming to be within its domain.
An NIS server is comprised of several applications. They include the following:
/usr/sbin/rpc.yppasswdd — Also called the yppasswdd service, this daemon allows users to
change their NIS passwords.