I’ve noticed that many people do not realize port 111 and a few other random ports are open on fresh debian installs. It is for the portmap daemon which is needed by RPC based services such as NFS. I barely have any use for NFS, especially on internet facing hosts.
Here we see TCP ports 111, 41394 and UDP ports 111, 742, 48841 are open. Portmap may be marked as secure right now, but it is always best to close up unused ports.
# netstat -nlp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 2251/portmap tcp 0 0 0.0.0.0:41394 0.0.0.0:* LISTEN 2262/rpc.statd tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 2490/sshd tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2757/exim4 tcp6 0 0 :::80 :::* LISTEN 2818/apache2 tcp6 0 0 :::22 :::* LISTEN 2490/sshd udp 0 0 0.0.0.0:48841 0.0.0.0:* 2262/rpc.statd udp 0 0 0.0.0.0:742 0.0.0.0:* 2262/rpc.statd udp 0 0 0.0.0.0:111 0.0.0.0:* 2251/portmap
Fortunately it is easy to remove (nfs-common relies on portmap, so we need to remove that as well):
# aptitude --purge remove portmap nfs-common
# netstat -nlp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 2490/sshd tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2757/exim4 tcp6 0 0 :::80 :::* LISTEN 2818/apache2 tcp6 0 0 :::22 :::* LISTEN 2490/sshd Active UNIX domain sockets (only servers) Proto RefCnt Flags Type State I-Node PID/Program name Path unix 2 [ ACC ] STREAM LISTENING 6113 2454/acpid /var/run/acpid.socket
Now that’s much cleaner!
