5.13. Securing RPC services

You should disable RPC if you do not need it.

Remote Procedure Call (RPC) is a protocol that programs can use to request services from other programs located on different computers. The portmap service controls RPC services by mapping RPC program numbers into DARPA protocol port numbers; it must be running in order to make RPC calls.

RPC-based services have had a bad record of security holes, although the portmapper itself hasn't (but still provides information to a remote attacker). Notice that some of the DDoS (distributed denial of service) attacks use RPC exploits to get into the system and act as a so called agent/handler.

You only need RPC if you are using an RPC-based service. The most common RPC-based services are NFS (Network File System) and NIS (Network Information System). See the previous section for more information about NIS. The File Alteration Monitor (FAM) provided by the package fam is also an RPC service, and thus depends on portmap.

NFS services are quite important in some networks. If that is the case for you, then you will need to find a balance of security and usability for your network (you can read more about NFS security in the http://www.tldp.org/HOWTO/NFS-HOWTO.html (/usr/share/doc/HOWTO/en-txt/NFS-HOWTO.txt.gz)).

5.13.1. RPC サービスを無効にする

portmap を停止することは非常に簡単です。いくつかの方法があります。Debian 3.0 システムで最も簡単なのは portmap パッケージをアンイントールすることです。他のバージョンを使っているなら第 3.5.1 節「デーモンサービスを停止する」にあるようにしてサービスを無効にする必要があるでしょう。これは portmap が net-base パッケージ (システムを壊すことなくこれをアンインストールすることはできません) の一部であるためです。

Notice that some desktop environments (notably, GNOME) use RPC services and need the portmapper for some of the file management features. If this is your case, you can limit the access to RPC services as described below.

5.13.2. Limiting access to RPC services

Unfortunately, in some cases removing RPC services from the system is not an option. Some local desktop services (notably SGI's fam) are RPC based and thus need a local portmapper. This means that under some situations, users installing a desktop environment (like GNOME) will install the portmapper too.

There are several ways to limit access to the portmapper and to RPC services:

Block access to the ports used by these services with a local firewall (see 第 5.14 節「ファイアウォール機能を追加する」).
Block access to these services using tcp wrappers, since the portmapper (and some RPC services) are compiled with libwrap (see 第 4.12 節「tcpwrappers を使う」). This means that you can block access to them through the hosts.allow and hosts.deny tcp wrappers configuration.
Since version 5-5, the portmap package can be configured to listen only on the loopback interface. To do this, modify /etc/default/portmap, uncomment the following line: #OPTIONS="-i 127.0.0.1" and restart the portmapper. This is sufficient to allow local RPC services to work while at the same time prevents remote systems from accessing them (see, however, 第 4.18.5 節「Disabling weak-end hosts issues」).