Security risk of opening port 111 (rpcbind)?

  • As far as I understood rpcbind is used for listing active services, and telling the requesting client where to send the RPC request. If a host listens on port 111, one can use rpcinfo to get program numbers and ports and services running; For example look at below:

    [email protected]:~# rpcinfo -p x.x.x.x

    program vers proto port

    100001    2   udp    111  portmapper
    100000    3   udp    111  portmapper        
    100005    3   udp   1048  mountd
    100022    1   tcp   1047  nlockmgr    
    100021    4   udp   1047  nlockmgr
    100026    1   tcp   1039  status
    100029    1   udp   1039  status
    100003    2   tcp   2049  nfs
    100003    3   tcp   2049  nfs

    What is the security risk of it?

    Where we usually need to open port 111 and when can we close it without any other services fail?

    Do you mean to have it open so that other systems can access port 111? There's a difference between localhost access and remote access.

    I mean open it so other hosts can access it.

  • If you expose this service to the internet, everybody can query this information without having to authenticate. It can be useful to attackers to know what you have running.

    Also, the RPC service has a history of security vulnerabilities. So don't expose it to the world unless you have to.

    What if it is only internally exposed?

    Then the risk is limited to attackers who already have access to the internal network, either because they are internal users, or because they have breached something else.

    Good answer! +1

  • rpcbind can have an amplification factor of anywhere between x5 and x20 depending on the number of RPC services running.

    It should not be exposed publicly or at least only allow whitelisted IP addresses otherwise you may find the server participating in DDoS attacks.

License under CC-BY-SA with attribution

Content dated before 7/24/2021 11:53 AM