Description: The rpcbind utility maps RPC services to the ports on which they listen. RPC processes notify rpcbind when they start, registering the ports they are listening on and the RPC program numbers they expect to serve. The client system then contacts rpcbind on the server with a particular RPC program number. The rpcbind service redirects the client to the proper port number so it can communicate with the requested service Portmapper is an RPC service, which always listens on tcp and udp 111, and is used to map other RPC services (such as nfs, nlockmgr, quotad, mountd, etc.) to their corresponding port number on the server. When a remote host makes an RPC call to that server, it first consults with portmap to determine where the RPC server is listening. Rationale: A small request (~82 bytes via UDP) sent to the Portmapper generates a large response (7x to 28x amplification), which makes it a suitable tool for DDoS attacks. If rpcbind is not required, it is recommended that the rpcbind package be removed to reduce the attack surface of the system. Audit: Run the following command to verify rpcbind is not enabled: # systemctl is-enabled rpcbind disabled Verify result is not "enabled". Remediation: Run the following command to remove rpcbind: # yum remove rpcbind If the rpcbind package is required as a dependency, run the following commands to stop and mask the rpcbind services: # systemctl --now mask rpcbind # systemctl --now mask rpcbind.socket

[yes/no]

Run the following command to remove rpcbind: # yum remove rpcbind If the rpcbind package is required as a dependency, run the following commands to stop and mask the rpcbind services: # systemctl --now mask rpcbind # systemctl --now mask rpcbind.socket