Portmapper (portmap, rpcbind) is an Open Network Computing Remote Procedure Call (ONC RPC) service that is used to convert numbers of services Remote Procedure Call, such as NIS or NFS into port numbers TCP/UDP, uses the mechanism of broadcast messages RPC on port 111.
An open portmapper service can be used to conduct a DDoS attack. The UDP protocol allows IP spoofing (spoofing). Using the victim's IP address, attackers can send requests to the portmapper. As a result, when the server receives requests, it will send all responses to the victim's address. A large amount of such "reflected" traffic can disable the victim's server or network.
How to check
To check, you can use the rpcinfo utility, which performs an RPC request and displays registered RPC services. You can check both local and remote hosts.
Localhost check example:
# rpcinfo
program version netid address service owner
100000 4 tcp6 ::.0.111 portmapper superuser
100000 3 tcp6 ::.0.111 portmapper superuser
100000 4 udp6 ::.0.111 portmapper superuser
100000 3 udp6 ::.0.111 portmapper superuser
100000 4 tcp 0.0.0.0.0.111 portmapper superuser
100000 3 tcp 0.0.0.0.0.111 portmapper superuser
100000 2 tcp 0.0.0.0.0.111 portmapper superuser
100000 4 udp 0.0.0.0.0.111 portmapper superuser
100000 3 udp 0.0.0.0.0.111 portmapper superuser
100000 2 udp 0.0.0.0.0.111 portmapper superuser
100000 4 local /run/rpcbind.sock portmapper superuser
100000 3 local /run/rpcbind.sock portmapper superuser
To check a remote host, you must specify its address, for example, after the key -p or -s for output in abbreviated form, if not specified, then there will be a local RPC call. Sample output:
rpcinfo -p [IP]
program vers proto port service
100000 4 tcp 111 portmapper
100000 3 tcp 111 portmapper
100000 2 tcp 111 portmapper
100000 4 udp 111 portmapper
100000 3 udp 111 portmapper
100000 2 udp 111 portmapper
rpcinfo -s [IP]
program version(s) netid(s) service owner
100000 2,3,4 local,udp,tcp,udp6,tcp6 portmapper superuser
You can read more about the rpcinfo utility by calling the help using the man rpcinfo command (also man rpcbind).
Additionally, checking the local host can be done with the ss utilities (netstat). Check the description of the keys in the man pages. An example is below (the command header is added separately for clarity):
ss -lptun | grep 111
Netid State Recv-Q Send-Q Local Address:Port Peer Address:PortProcess
udp UNCONN 0 0 0.0.0.0:111 0.0.0.0:* users:(("rpcbind",pid=593,fd=5),("systemd",pid=1,fd=37))
udp UNCONN 0 0 [::]:111 [::]:* users:(("rpcbind",pid=593,fd=7),("systemd",pid=1,fd=39))
tcp LISTEN 0 4096 0.0.0.0:111 0.0.0.0:* users:(("rpcbind",pid=593,fd=4),("systemd",pid=1,fd=36))
tcp LISTEN 0 4096 [::]:111 [::]:* users:(("rpcbind",pid=593,fd=6),("systemd",pid=1,fd=38))
How to disable
On systemd distributions, you can disable and remove portmapper (rpcbind) from boot as follows:
systemctl stop rpcbind.service
Warning: Stopping rpcbind.service, but it can still be activated by:
rpcbind.socket
Next, stop the socket:
systemctl stop rpcbind.socket
Remove from startup:
systemctl disable rpcbind.service
systemctl disable rpcbind.socket
If you are using script-based boot scripts in /etc/init.d, you can stop the service as follows:
/etc/init.d/rpcbind stop
You can remove it from startup on Debian-based distributions like this:
update-rc.d -f rpcbind remove
In distributions from RedHat:
chkconfig rpcbind off
After disabling the service, the rpcinfo output will look like this:
rpcinfo
rpcinfo: can't contact rpcbind: RPC: Remote system error - Connection refused
How to restrict connection to portmapper
If the portmapper is required, then you can restrict access to it by only allowing connections to certain IPs. This can be done using a network filter by restricting access to port 111.
Example of UDP protocol restriction for IPv4:
iptables -A INPUT -p udp -s 192.168.1.0/24 --dport 111 -j ACCEPT
iptables -A INPUT -p udp -s 127.0.0.1 --dport 111 -j ACCEPT
iptables -A INPUT -p udp --dport 111 -j DROP
Comments