Computer and IT knowledge - things to know

Cloud provider mail - security audit -> issues: Portmapper service is running > how to protect port 111 udp / tcp on a linux system?

Cloud provider mail - security audit -> issues: Portmapper service is running > how to protect port 111 udp / tcp on a linux system?

>> Portmapper servers
Portmapper is a service usually used with NFS. When this is not properly firewalled, it can be abused to conduct DDOS attacks. We recommend that all portmapper services be behind a firewall, and restricted to only IPs that need to contact them.

For Linux machines, please add firewall rules to block port 111 on both UDP and TCP:

iptables -I INPUT 1 -m tcp -p tcp --dport 111 -j DROP
iptables -I INPUT 1 -m udp -p udp --dport 111 -j DROP

-------------------------------------------------------------------

How to enable persistant blocking on Debian 10?
=====================================

To add a firewall rule in Debian 10 that persists after a system reboot, you can use the iptables-persistent package. Here's how to do it:

First, make sure you have the iptables-persistent package installed. If not, you can install it using the following command:
sudo apt-get update
sudo apt-get install iptables-persistent


After installation, you can add your firewall rules using the iptables command as you did in your example:
sudo iptables -I INPUT 1 -m tcp -p tcp --dport 111 -j DROP
sudo iptables -I INPUT 1 -m udp -p udp --dport 111 -j DROP


Once you've added your rules and tested them to make sure they're working as expected, you can save them to be persistent across reboots using the iptables-save command:
sudo iptables-save > /etc/iptables/rules.v4

This command saves the current iptables rules to the specified file (/etc/iptables/rules.v4 in this case).

>> you can check the saved file, if there are the rules that you expected, my files look like:

rules.v4:
-----------
cat /etc/iptables/rules.v4
# Generated by xtables-save v1.8.2 on Mon Mar 4 11:41:03 2024
*filter
:INPUT ACCEPT [423811499:394356840419]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [465873471:475296529519]
-A INPUT -p udp -m udp --dport 111 -j DROP
-A INPUT -p tcp -m tcp --dport 111 -j DROP
COMMIT
# Completed on Mon Mar 4 11:41:03 2024


After saving the rules, you can ensure that they are loaded at boot time by enabling the netfilter-persistent service:
sudo systemctl enable netfilter-persistent


>>> now you can reboot your server and the rules from rules.v4 file should be loaded

computer2know :: thank you for your visit :: have a nice day :: © 2024