Network security issue: Portmapper servers

dfoy

I continue to get the following alert from my ISP (Vultr.com, where shared servers are called "instances")
[begin quote]
...
Recent network security audits have detected some issues on your instances. Please review the following reports and help us to ensure the security of our network:
== Portmapper servers ==
Portmapper is a service usually used with NFS. When this is not properly firewalled, it can be abused to conduct DDOS attacks. We recommend that all portmapper services be behind a firewall, and restricted to only IPs that need to contact them.
For Linux machines, please add firewall rules to block port 111 on both UDP and TCP:

iptables -I INPUT 1 -m tcp -p tcp --dport 111 -j DROP
iptables -I INPUT 1 -m udp -p udp --dport 111 -j DROP

Please see https://blog.cloudflare.com/reflections-on-reflections/ for more information on reflection attacks.

The following IPs have been detected running open portmapper servers:
[my cloudron IP was shown here]
If you believe these reports to be false positives, please let us know.

[end of quote]

How should I address this?

girish

@dfoy Cloudron does not install NFS server and there should be nothing in port 111. Even if NFS package was installed and server is running, Cloudron firewall does not open port 111.

Did you install NFS on your server by any chance ? Are you able to connect with telnet <server-ip> 111 ? Otherwise, this looks like a false positive.

dfoy

@girish Thanks. I'll take this up with Vultr.
David Foy

girish

@dfoy yes, let us know what they say. Happy to make fixes, if any needed.

potemkin_ai

# systemctl list-sockets | grep 111
0.0.0.0:111                               rpcbind.socket                   rpcbind.service
0.0.0.0:111                               rpcbind.socket                   rpcbind.service
[::]:111                                  rpcbind.socket                   rpcbind.service
[::]:111                                  rpcbind.socket                   rpcbind.service

# systemctl status rpcbind
● rpcbind.service - RPC bind portmap service
     Loaded: loaded (/lib/systemd/system/rpcbind.service; enabled; vendor preset: enabled)
     Active: active (running) since Mon 2024-06-10 03:40:28 CEST; 2 weeks 1 day ago
TriggeredBy: ● rpcbind.socket
       Docs: man:rpcbind(8)
   Main PID: 514 (rpcbind)
      Tasks: 1 (limit: 9345)
     Memory: 1.8M
        CPU: 2.382s
     CGroup: /system.slice/rpcbind.service
             └─514 /sbin/rpcbind -f -w

Jun 10 03:40:28 myserver systemd[1]: Starting RPC bind portmap service...
Jun 10 03:40:28 myserver systemd[1]: Started RPC bind portmap service.

# nc -v localhost 111
Connection to localhost (::1) 111 port [tcp/sunrpc] succeeded!

That is only on my servers with Cloudron on the servers where nothing except for Cloudron install script has been ever done.

It's opened by init, i.e. systemd.

Any thoughts?

nebulon

Cloudron does not use or open port 111 on its own, but it seems that port is related to NFS. So maybe you are using NFS on the system?

girish

@potemkin_ai thanks for reporting.

It seems nfs-common depends on rpcbind which starts the service at port 111. rpcbind is only needed for NFSv3 . I have disabled rpcbind in the next release (8.0.1) . Cloudron only supports NFSv4 out of the box.