How to disable portmapper services in centos 7

Sometimes you will get a notice saying like ” your server can be used or is used for abusing using portmapper services”

An open portmapper service that can be accessed from the Internet can be exploited by an attacker to perform DDoS reflection attacks. Furthermore, an attacker will gain information about the network, e.g. running RPC services or existing network shares.

What does the portmapper do when it is enabled ?

It actually helps to provide RPC (Remote Procedure Calls) like NFS mounts. PortMapper service name is called as portmapper and runs in port TCP and UDP 111.

The Vulnerability in having this was revealed back in 2015 and after that most of the techs suggest to get this disabled or atleast disable this port using TCP Wrappers or Firewall.

To get the list of RPC services , you can use the command rpcinfo.

Sample result which have portmapper service enabled

[root@server ~]# rpcinfo -p
program vers proto port service
100000 4 tcp 111 portmapper
100000 3 tcp 111 portmapper
100000 2 tcp 111 portmapper
100000 4 udp 111 portmapper
100000 3 udp 111 portmapper
100000 2 udp 111 portmapper

To stop the services , use the below commands

[root@server ~]# systemctl stop rpcbind
Warning: Stopping rpcbind.service, but it can still be activated by:
rpcbind.socket

[root@server ~]# systemctl stop rpcbind.socket

Now again check rpcinfo command to confirm if all process is stopped or not . Good result will be like the below

[root@server ~]# rpcinfo -p
rpcinfo: can’t contact portmapper: RPC: Remote system error – Connection refused

To disable this service and stop restarting even after reboots, disable the service using the below command.

[root@server ~]# systemctl disable rpcbind
Removed symlink /etc/systemd/system/multi-user.target.wants/rpcbind.service.

Cross check once more and confirm rpcinfo command is showing connection refused.

[root@server ~]# rpcinfo -p
rpcinfo: can’t contact portmapper: RPC: Remote system error – Connection refused

This way you can disable the service for ever.

Facebook Comments