Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Help securing rpcbind

Discussion in 'Security' started by Spork Schivago, Jun 14, 2017.

  1. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    594
    Likes Received:
    63
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    Hello,

    I noticed on my CentOS 7 VPS that rpcbind is running. I don't really like this, but I believe my configuration of cPanel requires it now.

    netstat shows rpcbind is only listening for udp connections and not TCP connections, but it does show init is listening for tcp connections on port 111 (rpcbind's portmapper port).

    Code:
    udp        0      0 0.0.0.0:111             0.0.0.0:*                           10408/rpcbind
    udp        0      0 0.0.0.0:831             0.0.0.0:*                           10408/rpcbind
    udp6       0      0 :::111                  :::*                                10408/rpcbind
    udp6       0      0 :::831                  :::*                                10408/rpcbind
    
    netstat -tulnp|grep -i 111
    tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      1/init
    tcp6       0      0 :::111                  :::*                    LISTEN      1/init
    udp        0      0 0.0.0.0:111             0.0.0.0:*                           11589/rpcbind
    udp6       0      0 :::111                  :::*                                11589/rpcbind
    
    Every time I restart rpcbind, it still listens on port 111 but the other port changes, so I think that's random (this time, UDP / UDP6 port 831). I don't think using the firewall will work, because I can block 111 at the firewall level, but not the other port number if it keeps changing with every startup of rpcbind.

    Is it safe for me to try and configure rpcbind to listen on local interfaces only? I believe the -h option will restrict the UDP connections to local hosts only (127.0.0.1 and ::1). Will this break anything in cPanel?

    I see in /usr/lib/systemd/system/rpcbind.socket
    Code:
    [Unit]
    Description=RPCbind Server Activation Socket
    
    [Socket]
    ListenStream=/var/run/rpcbind.sock
    ListenStream=[::]:111
    ListenStream=0.0.0.0:111
    BindIPv6Only=ipv6-only
    
    [Install]
    WantedBy=sockets.target
    
    I'm a little confused here. I've read what the ListenStream and BindIPv6Only options are (freedesktop.org/software/systemd/man/systemd.socket.html ). With BindIPv6Only set to ipv6-only, I'm confused as to why rpcbind is listening on both IPv6 and IPv4 UDP ports.

    I wonder if I could create a custom rpcbind.socket file and modify the ListenStream values to list just local addresses ( ::1 and 127.0.0.1).

    If I try to uninstall rpcbind, I see the dependencies that'll get removed as well:
    Code:
     cpanel-dovecot-solr                                      noarch                 6.4.0-48.1                         @cpanel-plugins                 234 M
     cpanel-mailman                                           x86_64                 2.1.23-9.cp1162                    installed                        31 M
     cpanel-perl-524-Cpanel-CORE-Dependencies                 x86_64                 1.8-1.cp1162                       installed                       190
     cpanel-perl-524-Mail-SpamAssassin                        x86_64                 3.004001-5.cp1162                  installed                       2.6 M
     cpanel-perl-524-Quota                                    x86_64                 1.7.2-1.cp1162                     installed                        43 k
     cpanel-roundcubemail                                     noarch                 1.2.4-1.cp1162                     installed                        15 M
     dovecot                                                  x86_64                 2.2.28-4.cp1162                    installed                        29 M
     dovecot-xaps                                             x86_64                 2.2.28-1.cp1162                    installed                        27 k
     exim                                                     x86_64                 4.89-1.cp1162                      installed                       1.8 M
     quota                                                    x86_64                 1:4.01-14.el7                      @base                           887 k
     quota-devel                                              x86_64                 1:4.01-14.el7                      @base                           9.2 k
    
    
    So I can't really be removing rpcbind. I'd just like to secure it a bit more, if I could...

    Thanks!
     
    #1 Spork Schivago, Jun 14, 2017
    Last edited: Jun 14, 2017
  2. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,749
    Likes Received:
    1,886
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello,

    The "rpcbind" package isn't required unless you utilize NFS mounts on the server. You can disable the service with the following commands on CentOS 7:

    Code:
    systemctl disable rpcbind.service
    service rpcbind stop
    I don't recommend removing the RPM itself, as it has several dependencies with packages such as quota and dovecot (as you noted).

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    Spork Schivago likes this.
  3. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    594
    Likes Received:
    63
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    I had thought about disabling the service, but would that break quotas and dovecot @cPanelMichael?

    Thanks!
     
  4. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,749
    Likes Received:
    1,886
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello,

    You should not notice any problems with those packages unless you are using NFS mounts.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    594
    Likes Received:
    63
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    I'm not using NFS mounts. I do sometimes mount the server on my local machine using sshfs, so this shouldn't be a problem. When I stopped rpcbind, it said:

    Code:
    Warning: Stopping rpcbind.service, but it can still be activated by:
      rpcbind.socket
    
    So I went ahead and did the same for rpcbind.socket.

    Thanks for the help! Glad to know nothing depending on rpcbind besides NFS mounts. I think this closes a possible future security breach on my server.
     
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice