Announcement

Collapse
No announcement yet.

Secure RPC Portmapper Service & Protection From DDOS

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Secure RPC Portmapper Service & Protection From DDOS

    The Portmapper (portmap, rpcbind) is required for mapping RPC requests (remote procedure calls) to a network service. It is needed e. g. for mounting network shares using the Network File System (NFS).

    Portmapper can run on both TCP or UDP port 111, with UDP being required for the spoofed request to receive an amplified response.

    Openly accessible Portmapper services can be abused for DDoS reflection attacks against third parties.



    To check if a Portmapper service is openly accessible from the Internet, the tool 'rpcinfo' can be used:

    Code:
    $ rpcinfo -T udp -p 192.168.45.67
    An openly accessible Portmapper service will return a response like this:

    program vers proto port service
    100000 4 tcp 111 portmapper
    100000 3 tcp 111 portmapper
    100000 2 tcp 111 portmapper
    100000 4 udp 111 portmapper
    100000 3 udp 111 portmapper
    100000 2 udp 111 portmapper
    100024 1 udp 48035 status
    100024 1 tcp 52605 status

    Otherwise, rpcinfo will run into a timeout:

    rpcinfo: can't contact portmapper: RPC: Remote system error - Connection timed out




    Solution

    If the Portmapper service (portmap, rpcbind) is not required, disable or deinstall it. Otherwise, restrict access to trusted clients, for example by blocking incoming connections to port 111/tcp and 111/udp on the firewall.

    On Debian/Ubuntu based Linux systems, the portmapper service can be removed using the following command:

    Code:
    # apt-get remove rpcbind

    On CentOS/Fedora/cPanel Servers


    Code:
    systemctl stop rpcbind
    
    systemctl disable rpcbind
    Code:
    chkconfig rpcbind off
    or
    chkconfig portmap off
Working...
X