Securing Portmap; Protect Portmap With Tcp Wrappers; Protect Portmap With Iptables - Red Hat ENTERPRISE LINUX 4 - SECURITY GUIDE Manual

Hide thumbs Also See for ENTERPRISE LINUX 4 - SECURITY GUIDE:

Manual (410 pages)

System administration manual (400 pages)

Administration manual (200 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

page of 136

/ 136
Contents
Table of Contents
Bookmarks

Table of Contents

Chapter 5. Server Security

• instances = <number_of_connections> — Dictates the total number of connections allowed

to a service. This directive accepts either an integer value or UNLIMITED.

• per_source = <number_of_connections> — Dictates the connections allowed to a service

by each host. This directive accepts either an integer value or UNLIMITED.

• rlimit_as = <number[K|M]> — Dictates the amount of memory address space the service can

occupy in kilobytes or megabytes. This directive accepts either an integer value or UNLIMITED.

• rlimit_cpu = <number_of_seconds> — Dictates the amount of time in seconds that a service

may occupy the CPU. This directive accepts either an integer value or UNLIMITED.

Using these directives can help prevent any one xinetd service from overwhelming the system,

resulting in a denial of service.

5.2. Securing Portmap

The portmap service is a dynamic port assignment daemon for RPC services such as NIS and NFS.

It has weak authentication mechanisms and has the ability to assign a wide range of ports for the

services it controls. For these reasons, it is difficult to secure.

Note

Securing portmap only affects NFSv2 and NFSv3 implementations, since NFSv4 no

longer requires it. If you plan to implement a NFSv2 or NFSv3 server, then portmap is

required, and the following section applies.

If running RPC services, follow these basic rules.

5.2.1. Protect portmap With TCP Wrappers

It is important to use TCP wrappers to limit which networks or hosts have access to the portmap

service since it has no built-in form of authentication.

Further, use only IP addresses when limiting access to the service. Avoid using hostnames, as they

can be forged via DNS poisoning and other methods.

5.2.2. Protect portmap With IPTables

To further restrict access to the portmap service, it is a good idea to add IPTables rules to the server

and restrict access to specific networks.

Below are two example IPTables commands that allow TCP connections to the portmap service

(listening on port 111) from the 192.168.0/24 network and from the localhost (which is necessary for

the sgi_fam service used by Nautilus). All other packets are dropped.

iptables -A INPUT -p tcp -s! 192.168.0.0/24 --dport 111 -j DROP iptables -A INPUT -p tcp -s

127.0.0.1 --dport 111 -j ACCEPT

To similarly limit UDP traffic, use the following command.

Table of Contents

Securing Portmap; Protect Portmap With Tcp Wrappers; Protect Portmap With Iptables - Red Hat ENTERPRISE LINUX 4 - SECURITY GUIDE Manual

5.2. Securing Portmap

5.2.1. Protect portmap With TCP Wrappers

5.2.2. Protect portmap With IPTables

Related Manuals for Red Hat ENTERPRISE LINUX 4 - SECURITY GUIDE

Related Content for Red Hat ENTERPRISE LINUX 4 - SECURITY GUIDE

Table of Contents