Portrait of Edd Dumbill, taken by Giles Turnbull

Subscribe to updates

Feed icon Atom or RSS

or get email updates

What I make

expectnation
a conference management web application


XTech Conference
a European web technology conference

Locking down portmap on Debian

Most sensible people are very wary of NFS and its potential for security holes. If you can at all help it, it's a good idea not to run NFS and portmap on a network interface with direct internet connectivity. However, this isn't always convenient.

As I needed to have NFS sharing on a host exposed to the internet, I set about finding the various places I needed to firewall. The tools I typically use to verify I've done the right things are netstat -nap on the machine concerned, to check for listening processes, and nmap from remote hosts to sniff for open ports.

Portmap and its associated programs mostly use 'tcpwrappers' for controlling access. The first step you ought to take in securing portmap is to ensure that your hosts.allow and hosts.deny files are set up to control access properly.

In /etc/hosts.deny, deny access to allcomers:

mountd: ALL
statd: ALL
portmap: ALL
rquotad: ALL

Then in /etc/hosts.allow, let the good guys through (adjust for your network):

mountd: 192.168.0.
statd: 192.168.0.
portmap: 192.168.0.
rquotad: 192.168.0.

On top of this, however, you should firewall off the ports that these programs use. As I found out, this is not as easy as it sounds. Portmap assigns random ports for some of the services it starts.

You can run rpcinfo -p to see the ports in use. An example run on one of my machines looks like this:

program vers proto   port
 100000    2   tcp    111  portmapper
 100000    2   udp    111  portmapper
 100003    2   udp   2049  nfs
 100003    3   udp   2049  nfs
 100003    4   udp   2049  nfs
 100003    2   tcp   2049  nfs
 100003    3   tcp   2049  nfs
 100003    4   tcp   2049  nfs
 100021    1   udp  32770  nlockmgr
 100021    3   udp  32770  nlockmgr
 100021    4   udp  32770  nlockmgr
 100021    1   tcp  32788  nlockmgr
 100021    3   tcp  32788  nlockmgr
 100021    4   tcp  32788  nlockmgr
 100005    1   udp   1005  mountd
 100005    1   tcp   1008  mountd
 100005    2   udp   1005  mountd
 100005    2   tcp   1008  mountd
 100005    3   udp   1005  mountd
 100005    3   tcp   1008  mountd
 100024    1   udp    863  status
 100024    1   tcp    866  status

Of these, nfs and portmapper always use the same ports, 2049 and 111, so ensure you block off these.

What about the rest? Happily, there's a way to configure them to use constant ports so we can reliably firewall them. Life would be too easy if all this configuration was in the one place, so here's how to find the different places you need to change.

  • nlockmgr: you're probably using the kernel NFS server, which means the port needs passing at module load time for the lockd module. Add this line into a new file, /etc/modutils/local-lockd

    options lockd nlm_udpport=32768 nlm_tcpport=32768

    Then run update-modules to recreate your /etc/modules.conf. The next time you boot these ports will be used for nlockmgr. If you've got the lockd statically compiled into your kernel, you'll need to pass these options as lockd.mnlm_udpport and lockd.nlm_tcpport to the kernel on boot.

  • status: this is the port used by statd. There's also an outgoing port, on which statd sends outgoing status requests. You can configure them by altering STATDOPTS in /etc/default/nfs-common, e.g.

    STATDOPTS="--port 699 --outgoing-port 700"
  • mountd: you can control the port used for mountd by editing /etc/default/nfs-kernel-server and altering RPCMOUNDOPTS, e.g.

    RPCMOUNTDOPTS="--port 962"

Finally, if you're running quotas, be sure to do something similar with RPCRQUOTADOPTS in /etc/default/quota.

See also:

Finally, I ought to note that I've written this up in case it helps anybody else. As with everything I write here, I make no warranty about its accuracy. Security is hard and obscure (but that's no reason not make our best efforts!)

blog comments powered by Disqus


You are reading the weblog of Edd Dumbill, writer, programmer, entrepreneur and free software advocate.
Copyright © 2000-2012 Edd Dumbill