Securing Portmapper / RPCbind (Port 111)

The Portmapper service (also known as rpcbind) is used to map Remote Procedure Call (RPC) services to network ports. It is primarily used for NFS (Network File Sharing).

1. Checking for Vulnerability

To check if your Portmapper is exposed to the public internet, run this command from a remote computer (replace IP with your VPS IP):

sudo nmap -sU -p 111 1.2.3.4

• Open: Your server is vulnerable. Follow the steps below.
• Closed / Filtered: Your server is safe.

2. Option A: Disable the Service (Recommended)

If you are not using NFS (Network File Sharing), you do not need this service running at all. The safest fix is to stop and mask it.

Run the following commands on your VPS:

# Stop the service immediately
sudo systemctl stop rpcbind
sudo systemctl stop rpcbind.socket

# Prevent it from ever starting again (Masking)
sudo systemctl mask rpcbind
sudo systemctl mask rpcbind.socket

3. Option B: Restrict Access (If using NFS)

If you do use NFS, you cannot disable Portmapper. Instead, you must restrict access so only your trusted IPs can connect.

UFW (Ubuntu / Debian)

# Allow your specific client IP
sudo ufw allow from <TRUSTED_IP> to any port 111

# Deny public access
sudo ufw deny 111

FirewallD (CentOS / RHEL)

# Remove public access
sudo firewall-cmd --zone=public --remove-port=111/udp --permanent
sudo firewall-cmd --zone=public --remove-port=111/tcp --permanent

# Add trusted source (Rich Rule)
sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="<TRUSTED_IP>" port protocol="udp" port="111" accept'
sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="<TRUSTED_IP>" port protocol="tcp" port="111" accept'

sudo firewall-cmd --reload