Portmapper service warnings
We keep getting following warnings:
"
Dear Sir or Madam,
The Portmapper service (portmap, rpcbind) is required for mapping RPC requests to a network service. The Portmapper service is needed e.g. for mounting network shares using the Network File System (NFS). The Portmapper service runs on port 111 tcp/udp.
In addition to being abused for DDoS reflection attacks, the Portmapper service can be used by attackers to obtain information on the target network like available RPC services or network shares.
Over the past months, systems responding to Portmapper requests from anywhere on the Internet have been increasingly abused DDoS reflection attacks against third parties.
Please find below a list of affected systems hosted on your network. The timestamp (timezone UTC) indicates when the openly accessible Portmapper service was identified.
We would like to ask you to check this issue and take appropriate steps to secure the Portmapper services on the affected systems or notify your customers accordingly.
If you have recently solved the issue but received this notification again, please note the timestamp included below. You should not receive any further notifications with timestamps after the issue has been solved.
Additional information on this notification, advice on how to fix reported issues and answers to frequently asked questions:
reports.cert-bund.de/en
"
We have been ignoring the warnings but now the frequency has increased. What are we supposed to do?
We have been ignoring the warnings but now the frequency has increased. What are we supposed to do?
-
You should disable it. run this as root: chkconfig portmap off0 -
chkconfig portmap off
Got the error `No such file or directory`: # chkconfig portmap off error reading information on service portmap: No such file or directory'0 -
Guess portmap relates to rpcbind Yum whatprovides portmap 0 -
and what we have to do?? 0 -
Rcpbind relates to nfs, if not using nfs services disable it by systemctl disable rcpbind.service 0 -
you are the best..... 0 -
Hello, I'm happy to see the question on this thread was answered. I'm marking this thread as solved. Thanks! 0 -
Fails for me. I did: systemctl disable rcpbind Got: Failed to execute operation: No such file or directory 0 -
Fails for me. I did: systemctl disable rcpbind Got: Failed to execute operation: No such file or directory
The package name in your command is incorrect. It's "rpcbind" instead of "rcpbind". Thanks!0 -
:oops: Ooooups! Yes, that worked like a charm :) Thanks! 0 -
It worked for me as well. Thanks. 0 -
Just wanted to say THANK YOU! My mailbox kept getting spammed by CERT-Bund telling me the same as OP's description. I hope i won't hear from them again. Thank you again! 0 -
Thank you very much!!! I hope BSI wont email me again... :) 0 -
The following command worked fine to me: systemctl disable rpcbind
Does BSI stop bothering you with these warnings after disabling this?0 -
Hello @sitespt, It should, yes. Let us know if you continue to receive those notifications after executing that command. Thank you. 0 -
Hello @sitespt, It should, yes. Let us know if you continue to receive those notifications after executing that command. Thank you.
Even after disabling rpcbind I can see 111 port open and it is now linked to systemd. When I gave the command "lsof -i :111" to check name of the process i get systemd with PID 1. I rebooted the system and checked if rpcbind has started it has not since I disabled it but 111 is still open and it is not because of rpcbind this time but because of systemd. "lsof" shows Name as "*:sunrpc" which i am not sure what it means. I tried to find out if any configuration has change in /etc so far nothing interesting is shown. So though the problem was solved until recently by disabling or uninstalling rpcbind it can come back and this time systemd is the process which is running the port. Please help me in resolving this problem.0 -
Hello @bhuvan, Can you share the output from the following commands on one of the affected servers? cat /etc/redhat-release cat /var/cpanel/envtype rpm -qa|grep rpc
Additionally, can you confirm if the affected server(s) use an attached NFS (Network File System) mount? Note: You can also configure your firewall to block traffic over port 111. Examples of how to manage firewall rules are available on the document below:0 -
Hi I was bothered again by BSI about this. My output: # cat /etc/redhat-release CentOS Linux release 7.7.1908 (Core) # cat /var/cpanel/envtype kvm # rpm -qa|grep rpc rpcbind-0.2.0-48.el7.x86_64 libtirpc-0.2.4-0.16.el7.x86_64 ea-php72-php-xmlrpc-7.2.25-2.2.2.cpanel.x86_64 ea-php73-php-xmlrpc-7.3.12-2.2.3.cpanel.x86_64
I am running CSF - is it a good idea to add the port 111 to the block Should I do anything else?0
Please sign in to leave a comment.
Comments
18 comments