0091-rpcbind-uninstalled-rpcbind is Installed¶

Rule ID¶

The rpcbind utility maps RPC services to the ports they listen on. When RPC processes start, they notify rpcbind, registering the ports they are listening on and the RPC program numbers they wish to provide services for. Client systems then contact rpcbind on the server with a specific RPC program number. The rpcbind service redirects the client to the correct port number so it can communicate with the requested service.

Portmapper is an RPC service that always listens on TCP and UDP port 111 and is used to map other RPC services (such as NFS, nlockmgr, quotad, mountd, etc.) to their corresponding port numbers on the server. When a remote host makes an RPC call to this server, it first consults portmap to determine where the RPC server is listening.

Small requests sent to the port mapper (~82 bytes) can generate large responses (7 to 28 times amplification), making it a suitable tool for DDoS attacks. If rpcbind is not required, it is recommended to remove the rpcbind package to reduce the attack surface of the system.

Note: Many libvirt packages used by enterprise Linux virtualization and nfs-utils packages used by Network File System (NFS) depend on the rpcbind package. If rpcbind is required as a dependency, the rpcbind.service and rpcbind.socket services should be stopped and masked to reduce the attack surface of the system.

Version 7

9.2 Ensure only approved ports, protocols, and services are running
Ensure that only network ports, protocols, and services with validated business needs are listening on each system.