Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[nynyny2]

Hi, recently had a security scan done on a DIR 655 and the report came back saying PORT 111 (Unix RPC Service) should not be listening for external connections. I've looked through every setting but can't find where this service is enabled (or can be altered) -- can anyone offer guidance on this port/service?

[FurryNutz]

Are you using any Unix based devices?

[Hard Harry]

I think your looking in the wrong place. I think thats because UPnP Is opening it when windows boots because of RPC. I assume this scan is external?

Remote Procedure Call (RPC) Locator
Manages the RPC name service database.
Comment: There are some network programs and protocols that require this to be turned on. Chances are you could just turn it off and see if you break anything. If you are using a single PC in your home or SOHO, it's likely just a security risk. If you don't know you need it, disable

[nynyny2]

@FurryNutz: am not using an Unix devices/servers/computers

@HardHarry: I'm finding PORT 111 still 'listens' even with UPNP disabled; yes scan is external. Did I not make the correct change?

I'm also wondering why the router would even listen on the external port 111, especially with some of the RPC security issues mentioned within last 10 years...

I think your looking in the wrong place. I think thats because UPnP Is opening it when windows boots because of RPC. I assume this scan is external?

Remote Procedure Call (RPC) Locator
Manages the RPC name service database.
Comment: There are some network programs and protocols that require this to be turned on. Chances are you could just turn it off and see if you break anything. If you are using a single PC in your home or SOHO, it's likely just a security risk. If you don't know you need it, disable

[Hard Harry]

Well UPnP may be disabled on the router, but is it disabled on the computer? My suggestion is to just disable RPC on all computers on the network and see if that works. I don't think there is a way to manually adjust the firewall rules for multiple PC's on the LAN. Could to a Port forward for each PC then set a block all filter. But if your getting network scans done on your network, I am thinking this router is being used in a business? If so, I would personally not rely on this router with it's simple firewall to protect your business.

[nynyny2]

(I know this is an old thread; but I wanted to follow up with getting this resolved).

I do have an Ooma device behind the router, and a Windows 7 computer running. Could either of those be running RPC by default? If yes, is there a way I can tell which device might be running RPC services on it?

[FurryNutz]

RPC is running on my Windows 7 x64 box. I believe RPC is automatic ON by default.

[nynyny2]

Does that cause the router to then listen on PORT 111 externally? If yes, can I block at the router even though DHCP used?

[FurryNutz]

I would refer you to contact MS and ask if this is a port the RPC uses. I don't know if it is or if it even uses ports at all.

http://en.wikipedia.org/wiki/Remote_procedure_call

You can block ports under Access Control.

Is there a reason your looking to block this port?

[nynyny2]

A security scan (related to my other post) is saying RPC services is listening on the external port of the DIR 655. Why would it be listening on that port?

[Hard Harry]

The Windows 7 machine is the most likly culprit. Try

Start > Run > CMD > type "netstat -afno"
Right Click on top of window > Edit > Select All > Hit enter key
Start > Run > Notepad
CTRL+V
CTRL+F and search for "111"
This will show if if that machine is listening on, where that port is routed to, and what PID is listening.
Once you find the PID, go to your Task Manager and View > Select Columns and Select PID. Then sort Processes Tab by PID and found the one that was listening on port 111.

If its the RPC, then there you go. If its something else, like a svchost.exe, that gets more complicated, but I can give you commands to find out what .dll's are in that svchost. If you don't see it at all in the Netstat, then its probably something else in your network and I would suggest just turning devices off one by one and doing the scan. Last, if you see the port in netstat, but the PID isn't showing in Task Manager, you might be infected by some kind of trojan using RPC to communicate.

[FurryNutz]

Is port 111 really that important?

[Hard Harry]

Its not that its important, its that its a minor security risk because worms and bots will do a port scan and if they see it set to listening, might use it as a point of entry in a attack.

[FurryNutz]

Got cha. Any chance of false positive here being that there are different results with different sites?

[Hard Harry]

Yea, by the way, when I mentioned disabling RPC on all computers I meant that as only a way to isolate the issue. DO NOT keep RPC disabled unless you want to troubleshoot all the other services that use it.