Skip to content
PortsDB

Port reference

Port 111 (TCP/UDP) – RPCbind / Portmapper

ONC RPC portmapper — tells clients which ports dynamic RPC services (NFS, NIS, mountd) listen on.

tcpudpWell-knownCommonly attacked

Default state

Open on Linux/Unix and Solaris hosts running RPC-based services such as NFS or NIS, often left exposed by default with the rpcbind package.

Common attacks

  • RPC service enumeration to discover NFS, mountd, NIS and statd
  • UDP amplification / reflection DDoS
  • Pivot to NFS export access and NIS data exposure
  • Exploitation of vulnerable RPC services advertised by the mapper

Hardening

  • Do not expose 111 to the internet — block at the perimeter firewall
  • Bind rpcbind to internal interfaces and restrict with tcp_wrappers / firewall rules
  • Disable rpcbind entirely if no RPC services (NFS/NIS) are in use
  • Use NFSv4 which does not require the portmapper
  • Filter UDP/111 to prevent amplification reflection

nmap snippet

nmap -p111 -sU -sT --script rpcinfo <target>

Replace <target> with the host or range you're authorized to scan.

What runs on port 111?

Port 111 is the home of RPCbind, historically called the portmapper, the directory service for ONC RPC (Sun RPC). RPC programs register with rpcbind and are assigned dynamic ports; a client first asks rpcbind on 111 "which port is NFS / mountd / NIS on?" and is then directed to the right place. It listens on both TCP and UDP and underpins NFSv2/v3, NIS, and rpc.statd.

Why it matters for security

Because rpcbind enumerates every RPC service on a host, an open 111 hands an attacker a map of what to attack next — most importantly NFS exports and NIS data. Worse, the UDP side is a classic amplification vector: a small spoofed query returns a much larger response, letting attackers reflect traffic at a victim. Many of the services it advertises (statd, mountd) have their own history of remote vulnerabilities.

How it's attacked

Attackers run rpcinfo or the nmap rpcinfo script against 111 to list registered programs and their ports, then pivot to nfs-showmount to read NFS exports or target NIS. Spoofed-source UDP queries are used to launch reflection/amplification DDoS. Any vulnerable RPC daemon discovered through the mapper becomes a direct exploitation target.

Hardening checklist

Never expose 111 to the internet — drop TCP and UDP/111 at the perimeter. Bind rpcbind to internal interfaces and restrict callers with host-based firewall rules or tcp_wrappers. If you do not run NFSv2/v3 or NIS, disable rpcbind entirely. Prefer NFSv4, which uses a single well-known port and needs no portmapper. Use the nmap snippet above to inventory advertised RPC services on hosts you are authorized to test.

Related ports

Port 2049Port 32768Port 135Port 689

Frequently asked questions

What is port 111 used for?
Port 111 runs RPCbind (the portmapper), which tells clients which dynamic ports RPC services like NFS, mountd and NIS are listening on. It is required by NFSv2/v3 but not NFSv4.
Is port 111 a security risk?
Yes when exposed. It leaks the full list of RPC services running on a host and can be abused for UDP amplification DDoS. It should never be reachable from the internet.