AbuseBSI e-mails from Germany

NethServer Version: 7.8.2003

I host on Hetzner and I received these e-mails from them, which are supposedly from certbund@bsi.bund.de

Are these e-mails legitimate? If so, I haven’t done anything special with these services or ports, so is this something that could be improved for the standard Neth install?

Dear Sir or Madam,

open DNS resolvers are abused for conducting DDoS reflection/
amplification attacks against third parties on a daily basis.

Affected systems on your network:

Format: ASN | IP | Timestamp (UTC)
12345 | | 2020-07-30 02:32:57

We would like to ask you to check if the open resolvers identified
on your network are intentionally configured as such and appropriate
countermeasures preventing their abuse for DDoS attacks have been

Dear Sir or Madam,

the Portmapper service (portmap, rpcbind) is required for mapping RPC
requests to a network service. The Portmapper service is needed e.g.
for mounting network shares using the Network File System (NFS).
The Portmapper service runs on port 111 tcp/udp.

In addition to being abused for DDoS reflection attacks, the
Portmapper service can be used by attackers to obtain information
on the target network like available RPC services or network shares.

Over the past months, systems responding to Portmapper requests from
anywhere on the Internet have been increasingly abused DDoS reflection
attacks against third parties.

Affected systems on your network:
Format: ASN | IP | Timestamp (UTC) | RPC response

12345 | | 2020-07-30 08:34:08 | 100000 4 111/udp; 100000 3 111/udp; 100000 2 111/udp; 100000 4 111/udp; 100000 3 111/udp; 100000 2 111/udp;

We would like to ask you to check this issue and take appropriate
steps to secure the Portmapper services on the affected systems or
notify your customers accordingly.

Yes, see here.
But I think it’s about plain centos because Neth uses shorewall firewall by default and portmapper port should be closed.

I see. I think this may be related to my other Shorewall issues then. There have been times that the only way I could get access to my server was to disable Shorewall. So I guess my server may have been (ab)used to bounce some attacks in that window.

I don’t think that’s what the messages are telling you–rather, they’re telling you that you have services exposed to the Internet that can be abused in the ways they describe, and asking you to make sure you intend to have them, and if so that they’re properly secured.


That’s reassuring. And knowing that the default Shorewall config does block this, I should be OK once I get it working seamlessly. :slight_smile: