How to disable rpcbind on LKE nodes

Linode Staff

I received a ticket regarding a security vulnerability notification regarding the Portmapper service:

the Portmapper service (portmap, rpcbind) is required for mapping RPC
requests to a network service. The Portmapper service is needed e.g.
for mounting network shares using the Network File System (NFS).
The Portmapper service runs on port 111 tcp/udp.

How should I proceed with this? This is a Kubernetes node and I cannot log in to it directly to enable a firewall and block traffic on UDP/111.

If I change the node password, I have to rebuild it, so it won't rejoin the cluster and my SSH key doesn't seem to have been copied to the machine, as it is still asking for a password, which I didn't set during node creation, as it was automated by Kubernetes.

1 Reply

Linode doesn't require you to do anything regarding this notices. They are simply sent as a courtesy.

With that said, if you would like to log in to the node, you should be able to do so without rebuilding it. I just tested this out on one of my nodes in a cluster and after resetting the root password, kubectl get nodes showed it was available as part of the cluster, shortly after booting it back up.

Someone on our LKE team wrote up the following Community post regarding securing your LKE cluster, which may help:

https://www.linode.com/community/questions/19155/securing-k8s-cluster#answer-70974

Additionally, we've brought this up to our LKE team in the past (specifically regarding this potentially security issue with rpcbind) and they mentioned the following.

rpcbind is required for an NFS server, to allow other RPC services to discover the port that nfsd is listening on. We recently added the nfs-common package to all LKE nodes, per customer request for NFS volume support. rpcbind is a direct dependency of the nfs-common package, however it is not needed for NFS clients using nfsv4 (below v4 it is required for file locking).

Since it does have potential for abuse, our team will look into securing this, though we don't have an ETA for when it will be addressed. It's also worth noting that default Debian installations includes nfs-common, and thus rpcbind.

If you are not interested in using NFS volumes, you can disable the rpcbind service on your LKE nodes by resetting the root password and shelling in, and running these commands:

systemctl stop rpcbind.service

systemctl disable rpcbind.service

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct