Product SiteDocumentation Site

5.13. Securing RPC services

You should disable RPC if you do not need it.
Remote Procedure Call (RPC) is a protocol that programs can use to request services from other programs located on different computers. The portmap service controls RPC services by mapping RPC program numbers into DARPA protocol port numbers; it must be running in order to make RPC calls.
RPC-based services have had a bad record of security holes, although the portmapper itself hasn't (but still provides information to a remote attacker). Notice that some of the DDoS (distributed denial of service) attacks use RPC exploits to get into the system and act as a so called agent/handler.
You only need RPC if you are using an RPC-based service. The most common RPC-based services are NFS (Network File System) and NIS (Network Information System). See the previous section for more information about NIS. The File Alteration Monitor (FAM) provided by the package fam is also an RPC service, and thus depends on portmap.
NFS services are quite important in some networks. If that is the case for you, then you will need to find a balance of security and usability for your network (you can read more about NFS security in the (/usr/share/doc/HOWTO/en-txt/NFS-HOWTO.txt.gz)).

5.13.1. Desactivar los servicios RPC

Inhabilitar el paquete portmap es super sencillo. Hay diferentes mátodos. Uno de los más sencillos en un sistema Debian 3.0 es hacer un desinstalamiento del paquete portmap. Si usted está usando otra versión, tendrá que desactivar el servicio como se ve en disableserv, esto es debido a el programa que forma parte del paquete net-base (el cual no puede ser desinstalado sin que el sistema se haya destruido).
Notice that some desktop environments (notably, GNOME) use RPC services and need the portmapper for some of the file management features. If this is your case, you can limit the access to RPC services as described below.

5.13.2. Limites al acceso de servicios RPC

Unfortunately, in some cases removing RPC services from the system is not an option. Some local desktop services (notably SGI's fam) are RPC based and thus need a local portmapper. This means that under some situations, users installing a desktop environment (like GNOME) will install the portmapper too.
There are several ways to limit access to the portmapper and to RPC services:
  • Block access to the ports used by these services with a local firewall (see Sección 5.14, “Añadir capacidades al cortafuegos”).
  • Block access to these services using tcp wrappers, since the portmapper (and some RPC services) are compiled with libwrap (see Sección 4.12, “Uso de tcpwrappers”). This means that you can block access to them through the hosts.allow and hosts.deny tcp wrappers configuration.
  • Since version 5-5, the portmap package can be configured to listen only on the loopback interface. To do this, modify /etc/default/portmap, uncomment the following line: #OPTIONS="-i" and restart the portmapper. This is sufficient to allow local RPC services to work while at the same time prevents remote systems from accessing them (see, however, Sección 4.18.5, “Disabling weak-end hosts issues”).