I received an email frpmreports@reports.cert-bund.de about Offene Portmapper-Dienste in Netzbereich. warning email from [CERT-Bund](https://www.bsi.bund.de/EN/) — the Federal Office for Information Security in Germany. The warning indicated that "your server is exposing the Portmapper service (`rpcbind`) on port 111 (TCP/UDP) to the public internet".
Warning Email — Key Details
Subject: Open Portmapper (port 111) service publicly accessible
Reported IPs
xxx
xxx
xxx
Timestamp Times are UTC, indicating recent external access to the port
Port Involved: `111/udp` (also TCP)
Reported RPC responses: Show that your server responded to external probes
The email stated:
Over the past months, systems responding to Portmapper requests from anywhere on the Internet have been increasingly abused in DDoS reflection attacks against third parties.
Risk Description
Port 111 is used by the `rpcbind` service, which maps incoming RPC (Remote Procedure Call) requests to the appropriate services on a server.
If this port is accessible from the internet, it creates two major risks:
1. DDoS Reflection Attacks
Attackers send fake requests to your server, spoofing the victim's IP.
Your server responds to the spoofed IP, unintentionally becoming part of a **distributed denial of service (DDoS)** attack.
This is known as **UDP reflection/amplification**, and port 111 is commonly abused for it.
2. Information Disclosure
`rpcbind` responses can reveal which RPC-based services are running on your system.
This may expose internal services like NFS, NIS, or backup daemons to external reconnaissance or exploitation.
Solution Applied
After confirming that `rpcbind` was not actively needed on your system (no NFS or RPC clients depending on it externally), the following steps were taken:
1. rpcbind` service and socket were stopped and disabled
This ensures that the `rpcbind` service:
Is not running,
Will not restart on reboot or on-demand,
Cannot be reactivated by another service.
This explicitly blocks external access to port 111 (TCP & UDP), even if a service tries to listen on it.
Warning Email — Key Details
Subject: Open Portmapper (port 111) service publicly accessible
Reported IPs
xxx
xxx
xxx
Timestamp Times are UTC, indicating recent external access to the port
Port Involved: `111/udp` (also TCP)
Reported RPC responses: Show that your server responded to external probes
The email stated:
Over the past months, systems responding to Portmapper requests from anywhere on the Internet have been increasingly abused in DDoS reflection attacks against third parties.
Risk Description
Port 111 is used by the `rpcbind` service, which maps incoming RPC (Remote Procedure Call) requests to the appropriate services on a server.
If this port is accessible from the internet, it creates two major risks:
1. DDoS Reflection Attacks
Attackers send fake requests to your server, spoofing the victim's IP.
Your server responds to the spoofed IP, unintentionally becoming part of a **distributed denial of service (DDoS)** attack.
This is known as **UDP reflection/amplification**, and port 111 is commonly abused for it.
2. Information Disclosure
`rpcbind` responses can reveal which RPC-based services are running on your system.
This may expose internal services like NFS, NIS, or backup daemons to external reconnaissance or exploitation.
Solution Applied
After confirming that `rpcbind` was not actively needed on your system (no NFS or RPC clients depending on it externally), the following steps were taken:
1. rpcbind` service and socket were stopped and disabled
Code:
systemctl stop rpcbind
systemctl disable rpcbind
systemctl stop rpcbind.socket
systemctl disable rpcbind.socket
This ensures that the `rpcbind` service:
Is not running,
Will not restart on reboot or on-demand,
Cannot be reactivated by another service.
This explicitly blocks external access to port 111 (TCP & UDP), even if a service tries to listen on it.