Securing RPC

Home » CentOS » Securing RPC
CentOS 3 Comments

Dear Community

I hope you are all doing well.

Recently I have been receiving several complaints from our service provider. Please see the complaint below:

A public-facing device on your network, running on IP address XXX.XXX.XXX.XXX, operates a RPC port mapping service responding on UDP port
111 and participated in a large-scale attack against a customer of ours, generating responses to spoofed requests that claimed to be from the attack target.

Please consider reconfiguring this server in one or more of these ways:

1. Adding a firewall rule to block all access to this host’s UDP port 111
at your network edge (it would continue to be available on TCP port 111 in this case).
2. Adding firewall rules to allow connections to this service (on UDP port
111) from authorized endpoints but block connections from all other hosts.
3. Disabling the port mapping service entirely (if it is not needed).

Unfortunately, I cannot disable NFS which lies at the root of this problem. In addition, I am struggling to find a proper tutorial of moving NFS from udp over to tcp.

May I kindly ask you to point me in a direction or provide me with ideas on how to nail this thing in the ….

Kind Regards Leon

3 thoughts on - Securing RPC

  • Are you really exposing portmapper (RPC) and NFS to public network?


    2016-07-01 9:38 GMT+03:00 Leon Vergottini :

  • You need to setup a firewall (either a separate hardware box or iptables on this server) that allows only those IPs you need to connect to those ports. You should never expose a service like this to the entire Internet.

    ~ Brian Mathis

  • I think the best thing to do is to set up VPN links between your NFS
    server and the clients. This way you never have to expose RPC to the public network at all, and your NFS traffic will be secure against packet sniffers. I’ve used OpenVPN for this exact purpose, but I
    suspect that it’s been causing some problems, so I’m considering trying out tinc vpn.

    You could also do IPsec but IIRC that’s a bit more complex to configure.