5.13. 增强 RPC 服务的安全性
You should disable RPC if you do not need it.
Remote Procedure Call (RPC) is a protocol that programs can use to request services from other programs located on different computers. The portmap
service controls RPC services by mapping RPC program numbers into DARPA protocol port numbers; it must be running in order to make RPC calls.
RPC-based services have had a bad record of security holes, although the portmapper itself hasn’t (but still provides information to a remote attacker). Notice that some of the DDoS (distributed denial of service) attacks use RPC exploits to get into the system and act as a so called agent/handler.
You only need RPC if you are using an RPC-based service. The most common RPC-based services are NFS (Network File System) and NIS (Network Information System). See the previous section for more information about NIS. The File Alteration Monitor (FAM) provided by the package fam is also an RPC service, and thus depends on portmap.
NFS services are quite important in some networks. If that is the case for you, then you will need to find a balance of security and usability for your network (you can read more about NFS security in the http://www.tldp.org/HOWTO/NFS-HOWTO.html (/usr/share/doc/HOWTO/en-txt/NFS-HOWTO.txt.gz
)).
5.13.1. Disabling RPC services completely
Disabling portmap is quite simple. There are several different methods. The simplest one in a Debian 3.0 system and later releases is to uninstall the portmap package. If you are running an older Debian version you will have to disable the service as seen in 第 3.5.1 节 “禁用守护进程服务”, because the program is part of the netbase package (which cannot be de-installed without breaking the system).
Notice that some desktop environments (notably, GNOME) use RPC services and need the portmapper for some of the file management features. If this is your case, you can limit the access to RPC services as described below.
5.13.2. Limiting access to RPC services
Unfortunately, in some cases removing RPC services from the system is not an option. Some local desktop services (notably SGI’s fam) are RPC based and thus need a local portmapper. This means that under some situations, users installing a desktop environment (like GNOME) will install the portmapper too.
There are several ways to limit access to the portmapper and to RPC services:
Block access to the ports used by these services with a local firewall (see 第 5.14 节 “增加防火墙”).
Block access to these services using tcp wrappers, since the portmapper (and some RPC services) are compiled with
libwrap
(see 第 4.12 节 “使用 tcpwrappers”). This means that you can block access to them through thehosts.allow
andhosts.deny
tcp wrappers configuration.Since version 5-5, the portmap package can be configured to listen only on the loopback interface. To do this, modify
/etc/default/portmap
, uncomment the following line:#OPTIONS="-i 127.0.0.1"
and restart the portmapper. This is sufficient to allow local RPC services to work while at the same time prevents remote systems from accessing them (see, however, 第 4.18.5 节 “禁用弱客户主机问题”).