28

As far as I understood rpcbind is used for listing active services, and telling the requesting client where to send the RPC request. If a host listens on port 111, one can use rpcinfo to get program numbers and ports and services running; For example look at below:

root@bt:~# rpcinfo -p x.x.x.x

program vers proto port

100001    2   udp    111  portmapper
100000    3   udp    111  portmapper        
100005    3   udp   1048  mountd
100022    1   tcp   1047  nlockmgr    
100021    4   udp   1047  nlockmgr
100026    1   tcp   1039  status
100029    1   udp   1039  status
100003    2   tcp   2049  nfs
100003    3   tcp   2049  nfs

What is the security risk of it?

Where we usually need to open port 111 and when can we close it without any other services fail?

Goli E
  • 895
  • 1
  • 11
  • 20

2 Answers2

22

If you expose this service to the internet, everybody can query this information without having to authenticate. It can be useful to attackers to know what you have running.

Also, the RPC service has a history of security vulnerabilities. So don't expose it to the world unless you have to.

Mark Koek
  • 1,311
  • 1
  • 8
  • 16
3

rpcbind can have an amplification factor of anywhere between x5 and x20 depending on the number of RPC services running.

It should not be exposed publicly or at least only allow whitelisted IP addresses otherwise you may find the server participating in DDoS attacks.

J.Money
  • 141
  • 2