Port 111 problem

Topic

New Reply

My PC (W7) has been audited and it failed.
This is the outside contractor’s error message:
**************************************************************
Ports associated with Unix/Linux remote procedure calls (RPC) are accessible from the Internet.
This generally reflects a lack of adequate firewall rules or other network-level access control.

Restrict access from the general Internet to the identified service.

Protocol udp
Port 111
**************************************************************
I’ve been all over the internet and found a bunch of people talking about “port 111” and everyone of them are talking over my head (has nothing to do with me sitting down).
I’m hoping someone here can help me to resolve this issue.
Thanks……….

Reply | Quote

Replies

Audited by whom or what? If it was a person or organisation, they should give you more specific advice.

Port 111 is used by the port mapper service. This is a service, normally used in commercial client-server scenarios, that allows an inquiring service to determine what software has been mapped to various ports so that they can communicate. Typically it is used to allow network hosts to communicate with resources available on a server.

Calls to port 111 are not accessible from the internet unless your firewall allows them. It would be dangerous to do so and your firewall should not be setup to forward port 111 unless you know what you are doing.

Reply | Quote

I accept credit cards. I have to be certified by my merchant account provider. They use an outfit called Trustwave. They are the ones that are doing the audit.

Calls to port 111 are not accessible from the internet unless your firewall allows them. It would be dangerous to do so and your firewall should not be setup to forward port 111 unless you know what you are doing.

I’ve looked and poked around my W7, using my limited knowledge, and can’t seem to find how to stop port 111.

Any help would be extremely appreciated.

Reply | Quote

So it seems Trustwave ran a port scan and found a response on port 111 from your router or firewall.

The results, if they are correct, are worrying: they suggest that port 111 is available to the outside world. That is a very unusual situation and would normally require specific action to implement. From your comments, I think it safe to assume that you haven’t forwarded port 111 in your router.

So what is left is either a badly configured router, a system that has no router firewall (old usb attached adsl modems fall into this category), or an erroneous result. If you have no router firewall, then it is possible port 111 may be exposed to the internet – which is what Trustwave apparently have found. Replacing an old usb attached modem with a modern router would resolve that.

You can check for open ports on your router yourself using ShieldsUp.

You can check for open ports on the PC using the command netstat -an in a command prompt window.

Reply | Quote

So it seems Trustwave ran a port scan and found a response on port 111 from your router or firewall.

The results, if they are correct, are worrying: they suggest that port 111 is available to the outside world. That is a very unusual situation and would normally require specific action to implement. From your comments, I think it safe to assume that you haven’t forwarded port 111 in your router.

So what is left is either a badly configured router, a system that has no router firewall (old usb attached adsl modems fall into this category), or an erroneous result. If you have no router firewall, then it is possible port 111 may be exposed to the internet – which is what Trustwave apparently have found. Replacing an old usb attached modem with a modern router would resolve that.

You can check for open ports on your router yourself using ShieldsUp.

You can check for open ports on the PC using the command netstat -an in a command prompt window.

I used the ShieldsUp tests, several of them, and passed them all fortunately. It’s a fascinating tool, thanks.

Reply | Quote

…you haven’t forwarded port 111 in your router.

Not that I know of.

I ran ShieldsUp.
Common Port Scan came back all green (stealth). No issue.
All Service Ports Scan came back all green (stealth). No issue.
Ran the specific Probing Port for 111 and came back as green (stealth). No issue.

I ran the netstat command and did not see anything that includes 111 in the results.

Since I’m running W7 and not LINUX and port 111 is related to LINUX, should I just tell Trustwave to pass me?

My cable connection is Motorola SB6120.
My router is D-Link DIR-655.

Again, thanks for your continued help.

Reply | Quote

If ShieldsUp shows that you are closed to the outside world and netstat shows Port 111 is not in use on the PC, I would consider that you are probably clean.

It may be worthwhile running a couple of additional tests from other online port scanners just to be certain: then you can be confident that there is an error in the contractors results.

The Portmapper service on port 111 is used in the Windows world as well as Linux. Unfortunately therefore, you can’t dismiss it because you are running Win7: I think you need to know that it is closed – it is a big security risk if it is open and accessible via the internet.

At the same time, I think that reasonable that the contractor demonstrate that it is open as he claims – particularly if your business depends on the result.

Reply | Quote

I ran PCflank and it came back as stealth.

I have sent a note to Trustwave to dispute their findings.

Wait-n-see…….

Thanks for your quick and friendly help.

Reply | Quote

Trustwave denied my dispute.
Waiting to hear back from them as to what I need to do to pass their test.

Reply | Quote

All-rite-tee-then.
They denied my dispute.
Here is their reply which is waaaaaay over my head.
Thanks for your help.
==============================================

Description:
Ports associated with Unix/Linux remote procedure calls (RPC) are accessible from the Internet. This generally reflects a lack of adequate firewall rules or other network-level access control.

Remediation:
Restrict access from the general Internet to the identified service.

We have denied this dispute based on the lack of information provided regarding how this finding has been addressed.

Any issues detected on a system that is in scope for PCI DSS compliance would need to have all PCI-non compliant issues remediated (which is any system involved in the storage, processing, and/or transmission of credit card holder data and any system directly connected to a network involved in such processes which does not have proper network segmentation in place).

Please review the scan report and follow the suggestions found underneath the “Remediation” column and then perform another scan when the vulnerability has been remediated to clear the finding from your next scan report.

If the vulnerability continues to be detected after this point and/or if you have already performed this then please feel free to re-dispute this vulnerability and explain what was performed to address the finding.

*Additionally, manual investigation is as follows:

$ nmap -P0 -sU XX.XX.17.221 -p 109-114 (I redacted the IP address)

Starting Nmap 5.51 ( http://nmap.org ) at 2012-03-29 15:38 ric

Nmap scan report for c-xx-xx-17-221.hsd1.ga.comcast.net (xx.xx.17.221) (I redacted the IP address)
Host is up (0.039s latency).
PORT STATE SERVICE
109/udp open|filtered pop2
110/udp open|filtered pop3
111/udp open rpcbind
112/udp open|filtered mcidas
113/udp open|filtered auth
114/udp open|filtered audionews

Nmap done: 1 IP address (1 host up) scanned in 8.22 seconds

Reply | Quote

They have used a freeware tool (Network Mapper, or nmap) to probe your system. The nmap result is difficult to argue with, but there are a few things to look at.

[*]Confirm the IP they probed is actually yours, and was the same at the time of the test. If it’s not a static IP, they may have probed somebody else.
[*]Check with Comcast in case their network reports something on port 111.
[*]Run the IP scanner tools, but this time locate one specifically testing UDP ports.
[*]Investigate the router config, see if there is anything that would suggest the port being accessible: UPnP enabled, spi firewall, port forwarding.
[*]Consider swapping the router with an alternative model, or placing a second router between the cable modem and your system.
[*]Turn off UPnP services on the PC: using services.msc, look for UPnP Host and disable it. Do the same on any other network resources.

Reply | Quote

Can you specifically block port 111 in your Router?

Reply | Quote

Not ignoring you guys, just gotta a lot of work right now. Back in 1-2-3 days.

Reply | Quote

WaterBoyz,

there’s another line of investigation you could pursue, if you wish. Trustwave was hired to do an PCI-DSS audit on your systems, on behalf of your credit card processor. That means they cannot directly help you solve your problem, as that would put them in a conflict of interest (they cannot then audit their own work).

However, nothing stops *you* from hiring another firm to help you with this problem directly. I did a quick Google search for PCI-DSS consultants (or alternatively, “CISA”, or “IS-Audit” might work too) in the Atlanta area and several names came up. You could ask them for specific help to solve this problem (show them Trustwave’s findings). Probably only cost you a few hundred $$$. If this issue is holding you up from getting a clean audit opinion (and thus being able to process credit cards), the cost might be worth it. I’m all for free advice but it sounds like your situation is a tad more complicated, especially if Gibson’s ShieldsUp says that all is fine. And it’s hard for us to do more without witnessing the equipment, situation, direct port testing, etc.

Just a thought.

Reply | Quote