Results 1 to 14 of 14
  1. #1
    New Lounger
    Join Date
    Dec 2009
    Location
    Atlanta
    Posts
    13
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Port 111 problem

    My PC (W7) has been audited and it failed.
    This is the outside contractor's error message:
    ************************************************** ************
    Ports associated with Unix/Linux remote procedure calls (RPC) are accessible from the Internet.
    This generally reflects a lack of adequate firewall rules or other network-level access control.

    Restrict access from the general Internet to the identified service.


    Protocol udp
    Port 111

    ************************************************** ************
    I've been all over the internet and found a bunch of people talking about "port 111" and everyone of them are talking over my head (has nothing to do with me sitting down).
    I'm hoping someone here can help me to resolve this issue.
    Thanks..........
    I was trained on vacuum tubes.
    Most everything I've worked on are in museums.
    Yea ... I'm old.

  2. Subscribe to our Windows Secrets Newsletter - It's Free!

    Get our unique weekly Newsletter with tips and techniques, how to's and critical updates on Windows 7, Windows 8, Windows XP, Firefox, Internet Explorer, Google, etc. Join our 480,000 subscribers!

    Excel 2013: The Missing Manual

    + Get this BONUS — free!

    Get the most of Excel! Learn about new features, basics of creating a new spreadsheet and using the infamous Ribbon in the first chapter of Excel 2013: The Missing Manual - Subscribe and download Chapter 1 for free!

  3. #2
    Lounge VIP
    Join Date
    Apr 2011
    Location
    Scotland
    Posts
    1,168
    Thanks
    44
    Thanked 134 Times in 115 Posts
    Audited by whom or what? If it was a person or organisation, they should give you more specific advice.

    Port 111 is used by the port mapper service. This is a service, normally used in commercial client-server scenarios, that allows an inquiring service to determine what software has been mapped to various ports so that they can communicate. Typically it is used to allow network hosts to communicate with resources available on a server.

    Calls to port 111 are not accessible from the internet unless your firewall allows them. It would be dangerous to do so and your firewall should not be setup to forward port 111 unless you know what you are doing.

  4. #3
    New Lounger
    Join Date
    Dec 2009
    Location
    Atlanta
    Posts
    13
    Thanks
    0
    Thanked 0 Times in 0 Posts
    I accept credit cards. I have to be certified by my merchant account provider. They use an outfit called Trustwave. They are the ones that are doing the audit.

    Calls to port 111 are not accessible from the internet unless your firewall allows them. It would be dangerous to do so and your firewall should not be setup to forward port 111 unless you know what you are doing.
    I've looked and poked around my W7, using my limited knowledge, and can't seem to find how to stop port 111.

    Any help would be extremely appreciated.
    I was trained on vacuum tubes.
    Most everything I've worked on are in museums.
    Yea ... I'm old.

  5. #4
    Lounge VIP
    Join Date
    Apr 2011
    Location
    Scotland
    Posts
    1,168
    Thanks
    44
    Thanked 134 Times in 115 Posts
    So it seems Trustwave ran a port scan and found a response on port 111 from your router or firewall.

    The results, if they are correct, are worrying: they suggest that port 111 is available to the outside world. That is a very unusual situation and would normally require specific action to implement. From your comments, I think it safe to assume that you haven't forwarded port 111 in your router.

    So what is left is either a badly configured router, a system that has no router firewall (old usb attached adsl modems fall into this category), or an erroneous result. If you have no router firewall, then it is possible port 111 may be exposed to the internet - which is what Trustwave apparently have found. Replacing an old usb attached modem with a modern router would resolve that.

    You can check for open ports on your router yourself using ShieldsUp.

    You can check for open ports on the PC using the command netstat -an in a command prompt window.
    Last edited by Tinto Tech; 2012-03-28 at 13:11.

  6. #5
    New Lounger
    Join Date
    Dec 2009
    Location
    Atlanta
    Posts
    13
    Thanks
    0
    Thanked 0 Times in 0 Posts
    ...you haven't forwarded port 111 in your router.
    Not that I know of.

    I ran ShieldsUp.
    Common Port Scan came back all green (stealth). No issue.
    All Service Ports Scan came back all green (stealth). No issue.
    Ran the specific Probing Port for 111 and came back as green (stealth). No issue.

    I ran the netstat command and did not see anything that includes 111 in the results.

    Since I'm running W7 and not LINUX and port 111 is related to LINUX, should I just tell Trustwave to pass me?

    My cable connection is Motorola SB6120.
    My router is D-Link DIR-655.

    Again, thanks for your continued help.
    I was trained on vacuum tubes.
    Most everything I've worked on are in museums.
    Yea ... I'm old.

  7. #6
    Lounge VIP
    Join Date
    Apr 2011
    Location
    Scotland
    Posts
    1,168
    Thanks
    44
    Thanked 134 Times in 115 Posts
    If ShieldsUp shows that you are closed to the outside world and netstat shows Port 111 is not in use on the PC, I would consider that you are probably clean.

    It may be worthwhile running a couple of additional tests from other online port scanners just to be certain: then you can be confident that there is an error in the contractors results.

    The Portmapper service on port 111 is used in the Windows world as well as Linux. Unfortunately therefore, you can't dismiss it because you are running Win7: I think you need to know that it is closed - it is a big security risk if it is open and accessible via the internet.

    At the same time, I think that reasonable that the contractor demonstrate that it is open as he claims - particularly if your business depends on the result.

  8. #7
    New Lounger
    Join Date
    Dec 2009
    Location
    Atlanta
    Posts
    13
    Thanks
    0
    Thanked 0 Times in 0 Posts
    I ran PCflank and it came back as stealth.

    I have sent a note to Trustwave to dispute their findings.

    Wait-n-see.......

    Thanks for your quick and friendly help.
    I was trained on vacuum tubes.
    Most everything I've worked on are in museums.
    Yea ... I'm old.

  9. #8
    New Lounger
    Join Date
    Dec 2009
    Location
    Atlanta
    Posts
    13
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Trustwave denied my dispute.
    Waiting to hear back from them as to what I need to do to pass their test.
    I was trained on vacuum tubes.
    Most everything I've worked on are in museums.
    Yea ... I'm old.

  10. #9
    New Lounger
    Join Date
    Dec 2009
    Location
    Atlanta
    Posts
    13
    Thanks
    0
    Thanked 0 Times in 0 Posts
    All-rite-tee-then.
    They denied my dispute.
    Here is their reply which is waaaaaay over my head.
    Thanks for your help.
    ==============================================

    Description:
    Ports associated with Unix/Linux remote procedure calls (RPC) are accessible from the Internet. This generally reflects a lack of adequate firewall rules or other network-level access control.

    Remediation:
    Restrict access from the general Internet to the identified service.

    We have denied this dispute based on the lack of information provided regarding how this finding has been addressed.

    Any issues detected on a system that is in scope for PCI DSS compliance would need to have all PCI-non compliant issues remediated (which is any system involved in the storage, processing, and/or transmission of credit card holder data and any system directly connected to a network involved in such processes which does not have proper network segmentation in place).

    Please review the scan report and follow the suggestions found underneath the "Remediation" column and then perform another scan when the vulnerability has been remediated to clear the finding from your next scan report.

    If the vulnerability continues to be detected after this point and/or if you have already performed this then please feel free to re-dispute this vulnerability and explain what was performed to address the finding.

    *Additionally, manual investigation is as follows:

    $ nmap -P0 -sU XX.XX.17.221 -p 109-114 (I redacted the IP address)

    Starting Nmap 5.51 ( http://nmap.org ) at 2012-03-29 15:38 ric

    Nmap scan report for c-xx-xx-17-221.hsd1.ga.comcast.net (xx.xx.17.221) (I redacted the IP address)
    Host is up (0.039s latency).
    PORT STATE SERVICE
    109/udp open|filtered pop2
    110/udp open|filtered pop3
    111/udp open rpcbind
    112/udp open|filtered mcidas
    113/udp open|filtered auth
    114/udp open|filtered audionews

    Nmap done: 1 IP address (1 host up) scanned in 8.22 seconds
    I was trained on vacuum tubes.
    Most everything I've worked on are in museums.
    Yea ... I'm old.

  11. #10
    Lounge VIP
    Join Date
    Apr 2011
    Location
    Scotland
    Posts
    1,168
    Thanks
    44
    Thanked 134 Times in 115 Posts
    They have used a freeware tool (Network Mapper, or nmap) to probe your system. The nmap result is difficult to argue with, but there are a few things to look at.

    • Confirm the IP they probed is actually yours, and was the same at the time of the test. If it's not a static IP, they may have probed somebody else.
    • Check with Comcast in case their network reports something on port 111.
    • Run the IP scanner tools, but this time locate one specifically testing UDP ports.
    • Investigate the router config, see if there is anything that would suggest the port being accessible: UPnP enabled, spi firewall, port forwarding.
    • Consider swapping the router with an alternative model, or placing a second router between the cable modem and your system.
    • Turn off UPnP services on the PC: using services.msc, look for UPnP Host and disable it. Do the same on any other network resources.

  12. #11
    Star Lounger
    Join Date
    Apr 2010
    Location
    Bath, UK
    Posts
    55
    Thanks
    8
    Thanked 3 Times in 3 Posts
    Can you specifically block port 111 in your Router?

  13. #12
    New Lounger
    Join Date
    Dec 2009
    Location
    Atlanta
    Posts
    13
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Not ignoring you guys, just gotta a lot of work right now. Back in 1-2-3 days.
    I was trained on vacuum tubes.
    Most everything I've worked on are in museums.
    Yea ... I'm old.

  14. #13
    Star Lounger
    Join Date
    Dec 2009
    Location
    Southern CA, USA
    Posts
    52
    Thanks
    5
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by Tinto Tech View Post
    So it seems Trustwave ran a port scan and found a response on port 111 from your router or firewall.

    The results, if they are correct, are worrying: they suggest that port 111 is available to the outside world. That is a very unusual situation and would normally require specific action to implement. From your comments, I think it safe to assume that you haven't forwarded port 111 in your router.

    So what is left is either a badly configured router, a system that has no router firewall (old usb attached adsl modems fall into this category), or an erroneous result. If you have no router firewall, then it is possible port 111 may be exposed to the internet - which is what Trustwave apparently have found. Replacing an old usb attached modem with a modern router would resolve that.

    You can check for open ports on your router yourself using ShieldsUp.

    You can check for open ports on the PC using the command netstat -an in a command prompt window.
    I used the ShieldsUp tests, several of them, and passed them all fortunately. It's a fascinating tool, thanks.

  15. #14
    New Lounger
    Join Date
    Dec 2009
    Location
    Dryden, Ontario, Canada
    Posts
    1
    Thanks
    0
    Thanked 0 Times in 0 Posts
    WaterBoyz,

    there's another line of investigation you could pursue, if you wish. Trustwave was hired to do an PCI-DSS audit on your systems, on behalf of your credit card processor. That means they cannot directly help you solve your problem, as that would put them in a conflict of interest (they cannot then audit their own work).

    However, nothing stops *you* from hiring another firm to help you with this problem directly. I did a quick Google search for PCI-DSS consultants (or alternatively, "CISA", or "IS-Audit" might work too) in the Atlanta area and several names came up. You could ask them for specific help to solve this problem (show them Trustwave's findings). Probably only cost you a few hundred $$$. If this issue is holding you up from getting a clean audit opinion (and thus being able to process credit cards), the cost might be worth it. I'm all for free advice but it sounds like your situation is a tad more complicated, especially if Gibson's ShieldsUp says that all is fine. And it's hard for us to do more without witnessing the equipment, situation, direct port testing, etc.

    Just a thought.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •