The portmap service is a dynamic port assignment daemon for RPC services such as NIS and NFS. It has weak authentication mechanisms and has the ability to assign a wide range of ports for the services it controls. For these reasons, it is difficult to secure.
If you are running RPC services, you should follow some basic rules.
It is important to use TCP wrappers to limit which networks or hosts have access to the portmap service since it has no built-in form of authentication.
Further, use only IP addresses when limiting access to the service. Avoid these hostnames as they can be more via DNS poisoning and other methods.
To further restrict access to the portmap service, it is a good idea to add iptables rules to the server, restricting access to specific networks.
Below is an example of an iptables command that allows TCP connections to portmap, listening on port 111, from the 192.168.0/24 network exclusively. All other packets are dropped.
iptables -A INPUT -p tcp -s! 192.168.0.0/24 --dport 111 -j DROP |
To similarly limit UDP traffic, use the following command.
iptables -A INPUT -p udp -s! 192.168.0.0/24 --dport 111 -j DROP |