Chapter 5. Server Security42• instances = — Dictates the total number of connections allowedto a service. This directive accepts either an integer value or UNLIMITED.• per_source = — Dictates the connections allowed to a serviceby each host. This directive accepts either an integer value or UNLIMITED.• rlimit_as = — Dictates the amount of memory address space the service canoccupy in kilobytes or megabytes. This directive accepts either an integer value or UNLIMITED.• rlimit_cpu = — Dictates the amount of time in seconds that a servicemay occupy the CPU. This directive accepts either an integer value or UNLIMITED.Using these directives can help prevent any one xinetd service from overwhelming the system,resulting in a denial of service.5.2. Securing PortmapThe portmap service is a dynamic port assignment daemon for RPC services such as NIS and NFS.It has weak authentication mechanisms and has the ability to assign a wide range of ports for theservices it controls. For these reasons, it is difficult to secure.NoteSecuring portmap only affects NFSv2 and NFSv3 implementations, since NFSv4 nolonger requires it. If you plan to implement a NFSv2 or NFSv3 server, then portmap isrequired, and the following section applies.If running RPC services, follow these basic rules.5.2.1. Protect portmap With TCP WrappersIt is important to use TCP wrappers to limit which networks or hosts have access to the portmapservice since it has no built-in form of authentication.Further, use only IP addresses when limiting access to the service. Avoid using hostnames, as theycan be forged via DNS poisoning and other methods.5.2.2. Protect portmap With IPTablesTo further restrict access to the portmap service, it is a good idea to add IPTables rules to the serverand restrict access to specific networks.Below are two example IPTables commands that allow TCP connections to the portmap service(listening on port 111) from the 192.168.0/24 network and from the localhost (which is necessary forthe sgi_fam service used by Nautilus). All other packets are dropped.iptables -A INPUT -p tcp -s! 192.168.0.0/24 --dport 111 -j DROP iptables -A INPUT -p tcp -s127.0.0.1 --dport 111 -j ACCEPTTo similarly limit UDP traffic, use the following command.
