The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SOLVED rpcbind got installed.

Discussion in 'General Discussion' started by Spork Schivago, Dec 12, 2016.

Tags:
  1. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    462
    Likes Received:
    52
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    So I go to check my e-mail today and I see a lot of updates were pulled in by yum last night. This is the first time in a while since I've gotten an e-mail like that. Anyway, it shows rpcbind was installed. Some of the various updates (there were a lot) show the words updates after them, but this shows base after it.

    I've never had rpcbind installed, or if I did, it wasn't configured to startup. I recently switched to a new hosting provider and had to tighten the security on the server. rpcbind was not showing as running before when I ran netstat -tulnp, but now, it shows.

    I'm thinking perhaps a package had a dependency and required rpcbind maybe? Is there a way to see what installed packages depend on rpcbind?

    I don't really want it there. Even if it isn't a security risk, I don't like having unneeded services running. To me, that just increases the chance of my server getting hacked. Maybe there aren't any exploits available for rpcbind yet, but maybe they'll come in the future?

    I just don't want to remove it without understanding if it's going to break anything and without understanding why it got installed in the first place.

    I just was reading the rest of my e-mails and see the cron log from last night.
    Code:
    /etc/cron.daily/0yum-daily.cron:
    
    /usr/lib/systemd/system/named.service: read error
    (tried to read 773 bytes from offset 0)
    cannot reconstruct rpm from disk files
    Some delta RPMs failed to download or rebuild. Retrying..
    warning: /etc/bashrc created as /etc/bashrc.rpmnew
    warning: /etc/profile created as /etc/profile.rpmnew
    warning: /etc/shadow created as /etc/shadow.rpmnew
    warning: /etc/nsswitch.conf created as /etc/nsswitch.conf.rpmnew
    warning: /etc/sysctl.conf created as /etc/sysctl.conf.rpmnew
    warning: /etc/cron.daily/logrotate created as /etc/cron.daily/logrotate.rpmnew
    grubby fatal error: unable to find a suitable template
    warning: /etc/yum/yum-cron.conf created as /etc/yum/yum-cron.conf.rpmnew
    warning: /etc/named.conf created as /etc/named.conf.rpmnew
    warning: /var/lib/logrotate.status saved as /var/lib/logrotate.status.rpmsave
    2671 blocks
    
    Maybe this is the reason yum did so much with all the packages and everything last night? Do you guys think it's related? It seems something weird was going on last night. I'd love to get to the bottom of this.

    Any suggestions?

    Thanks!
     
  2. NixTree

    NixTree Well-Known Member

    Joined:
    Aug 19, 2010
    Messages:
    404
    Likes Received:
    2
    Trophy Points:
    143
    Location:
    Gods Own Country
    cPanel Access Level:
    Root Administrator
    Twitter:
    Was there any recent nfs related changes done in your server ?
     
  3. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    462
    Likes Received:
    52
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    If there was, it wasn't done by me. BuycPanel.com had to log into my server to check some things, but I highly doubt they would have messed with anything not-related to the issue I was having (I had problems with Apache and error documents).

    I haven't installed any packages recently or anything. A few days ago, my server was done because of physical problems. The hosting provider contacted me. The physical problem was three days ago and they've resolved that. I couldn't see them installing anything or playing around with NFS.

    It's a real mystery. I'd like to add, when I went to look at the ticket from Linode (my hosting provider) about the physical hardware problem, I saw a date of 12-08-2016. When I went to migrate some of those rpmnew files in the /etc/ directory to the normal config files, I had to restart MariaDB.

    I ran systemctl status mysql. I noticed this in the output:
    Code:
    Dec 08 18:09:28 franklin.mydomain.com mysqld[3930]: 2016-12-08 18:09:28 140288809585408 [ERROR] mysqld: Table './cphulkd/known_netblocks' is marked as crashed and should be repaired
    Dec 08 18:09:28 franklin.mydomain.com mysqld[3930]: 2016-12-08 18:09:28 140288809585408 [Warning] Checking table:   './cphulkd/known_netblocks'
    Dec 08 18:09:40 franklin.mydomain.com mysqld[3930]: 2016-12-08 18:09:40 140288809282304 [ERROR] mysqld: Table './eximstats/smtp' is marked as crashed and should be repaired
    Dec 08 18:09:40 franklin.mydomain.com mysqld[3930]: 2016-12-08 18:09:40 140288809282304 [Warning] Checking table:   './eximstats/smtp'
    Dec 08 18:09:40 franklin.mydomain.com mysqld[3930]: 2016-12-08 18:09:40 140288809282304 [ERROR] mysqld: Table './eximstats/sends' is marked as crashed and should be repaired
    Dec 08 18:09:40 franklin.mydomain.com mysqld[3930]: 2016-12-08 18:09:40 140288809282304 [Warning] Checking table:   './eximstats/sends'
    Dec 08 18:09:40 franklin.mydomain.com mysqld[3930]: 2016-12-08 18:09:40 140288809282304 [ERROR] mysqld: Table './eximstats/failures' is marked as crashed and should be repaired
    Dec 08 18:09:40 franklin.mydomain.com mysqld[3930]: 2016-12-08 18:09:40 140288809282304 [Warning] Checking table:   './eximstats/failures'
    Dec 08 18:27:13 franklin.mydomain.com mysqld[3930]: 2016-12-08 18:27:13 140288809282304 [ERROR] mysqld: Table './modsec/hits' is marked as crashed and should be repaired
    Dec 08 18:27:13 franklin.mydomain.com mysqld[3930]: 2016-12-08 18:27:13 140288809282304 [Warning] Checking table:   './modsec/hits'
    
    I than ran myisamchk -e on all of the MYI files, including the cphulkd, eximstats, and modsec ones. There were no errors. I'm wondering if that had something to do with the physical problems they had with my server. When I restarted MySQL, there were no errors.
     
    #3 Spork Schivago, Dec 12, 2016
    Last edited: Dec 12, 2016
  4. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    462
    Likes Received:
    52
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    Also, I'd like to add something that might be of interest. I don't know a lot about RPC or rpcbind. I know a little though. Could this have something to do with the kernel?

    With Linode, I'm given the choice to use the kernel version that is provided with CentOS or a more recent kernel. I'm not certain how they boot the more recent kernel. It's not in the /boot directory. That contains the kernel version that's provided by CentOS. I'm using the Linode provided kernel. uname -a shows:
    Code:
    Linux franklin.mydomain.com 4.8.6-x86_64-linode78 #1 SMP Tue Nov 1 14:51:21 EDT 2016 x86_64 x86_64 x86_64 GNU/Linux
    
    I don't think yum is smart enough to detect this (nor should it be). But I noticed one of the updates it tried installing:
    Code:
    kernel                x86_64 3.10.0-514.2.2.el7             updates       37 M
    
    I believe that update failed to install. Personally, I don't think yum, on my system, should be trying to update the kernel at all, because I'm using Linode's kernel. Is there a chance though, that 3.10.0-514.2.2.el7 kernel might have something to do with rpcbind?

    Maybe the default configuration for the 3.10.0-514.2.2.el7 kernel has some NFS support enabled by default, whereas the Linode one might not? And maybe when yum knew the 3.10.0-512.2.2 kernel had NFS support, it knew I needed rpcbind?

    Do you think that's a possibility or no?

    Do you also think there's a current security risk, having rpcbind listen on all interfaces? Should I block that using iptables?

    Thanks for the help! This worries me a bit and I appreciate you taking the time to answer my questions.
     
  5. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    462
    Likes Received:
    52
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    I guess at this point, I think I'd like to try removing rpcbind. Is there anything special I have to do or can I just use yum to install it?
     
  6. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    462
    Likes Received:
    52
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    Looking through /var/logs/yum.log,
    I see rpcbind was installed way before today.

    It just must not have been running. I know this because I specifically remember looking at the Linode server hardening document and they were talking about blocking unnecessary ports. They used rpc as an example and I thought it was odd that rpcbind wasn't showing under netstat.

    I ran:
    Code:
    root@franklin:[/etc/cron.daily]#  rpm -q --whatrequires rpcbind
    quota-4.01-14.el7.x86_64
    
    So I see quota depends on rpcbind. I don't use quota though. Also, I see:
    Code:
    root@franklin:[/etc/cron.daily]#  rpm -q --whatrequires quota
    cpanel-perl-522-Quota-1.7.2-2.cp1156.x86_64
    quota-devel-4.01-14.el7.x86_64
    
    So, cPanel-perl-522-Quota depends on quota.

    How could I disable rpcbind without breaking anything? If I uninstall rpcbind, quota will break and so will cpanel-perl-522-Quota. I don't want to be breaking packages. I just find it odd that up until this time, rpcbind wasn't running.

    ConfigServer Firewall is going nuts with all the rpcbind stuff. That's another way I know it wasn't installed. I never got any emails before about rpcbind or the user rpc. Now I'm getting them non-stop.

    Any suggestions on the proper way to fix this? Ultimately, if I need rpcbind on my server, I'd rather have it not running at all, unless it's absolutely needed (ie, don't uninstall it, just disable it from starting as a deamon and let cpanel-perl-522-Quota start it if it ever needs to).

    Can I do that and if so, how? Just something like:
    Code:
    systemctl disable rpcbind
    
    Or maybe:
    Code:
    chkconfig rpcbind off
    chkconfig rpcbind --del
    
    ?
     
  7. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    462
    Likes Received:
    52
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Root Administrator
    Hrmm, I disabled rpcbind, doesn't seem to have caused any issues. But I get a security advisor saying compilers are currently enabled for all users. How did that get reset I wonder? Hrmm.
     
  8. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    36,995
    Likes Received:
    1,275
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    The 'rpcbind' package is provided as part of the OS. The recent update from CentOS is normal, and I can confirm it also happened on a test system (CentOS 7):

    Code:
    grep rpcbind /var/log/yum.log
    Sep 21 18:03:24 Installed: rpcbind-0.2.0-33.el7_2.1.x86_64
    Dec 12 08:17:37 Updated: rpcbind-0.2.0-38.el7.x86_64
    It's used for RPC services, so you can safely disable it if you prefer, as long as you don't plan to use NFS mounts. However, I don't see any harm in leaving it installed, especially with the quota dependency.

    Thank you.
     
    Spork Schivago likes this.
  9. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    36,995
    Likes Received:
    1,275
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    This is possible, but you'd want to check with Linode or your provider to verify if that's the case.

    I'm moving your question about compiler access into a separate thread, and will send a response to it shortly.

    Thanks!
     
    Spork Schivago likes this.
Loading...

Share This Page