Hi!
I recently setup a Proxmox host on Hetzner and I’m pretty happy with how its going. The security basics like disabling root ssh, only public key login over ssh, fail2ban, etc seem to be working nicely so far (more hardening suggestions always welcome).
Today Hetzner forwarded me an email by the “German Federal Office for Information Security” informing me about an open port 111 on my server, which could potentially be used for reflection DDoS attacks.
First of all, I’m pretty impressed, that there’s a German ministry checking for things like this. Pretty cool.
Second, how do I remedy this?
From what I can tell, NFS is the only thing that really needs it (am I missing something?). currently i am not using NFS, but I’ll probably need it at some point to permanently mount a storage box.
For now tho I’ve tried stopping & disabling portmap.service with systemctl, but it seems to start right back up for some reason…
Any advice on this would be greatly appreciated! I don’ really need another scary looking email from a German ministry hitting my inbox 
Here's the full email for anyone interested
Dear Sir or Madam,
the Portmapper service (portmap, rpcbind) is required for mapping RPC
requests to a network service. The Portmapper service is needed e.g.
for mounting network shares using the Network File System (NFS).
The Portmapper service runs on port 111 tcp/udp.In addition to being abused for DDoS reflection attacks, the
Portmapper service can be used by attackers to obtain information
on the target network like available RPC services or network shares.Over the past months, systems responding to Portmapper requests from
anywhere on the Internet have been increasingly abused DDoS reflection
attacks against third parties.Please find below a list of affected systems hosted on your network.
The timestamp (timezone UTC) indicates when the openly accessible
Portmapper service was identified.We would like to ask you to check this issue and take appropriate
steps to secure the Portmapper services on the affected systems or
notify your customers accordingly.If you have recently solved the issue but received this notification
again, please note the timestamp included below. You should not
receive any further notifications with timestamps after the issue
has been solved.Additional information on this notification, advice on how to fix
reported issues and answers to frequently asked questions:
https://reports.cert-bund.de/en/This message is digitally signed using PGP.
Information on the signature key is available at:
https://reports.cert-bund.de/en/digital-signaturePlease note:
This is an automatically generated message. Replies to the
sender address <[email protected]> will NOT be read
but silently be discarded. In case of questions, please contact
<[email protected]> and keep the ticket number [CB-Report#…]
of this message in the subject line.Affected systems on your network:
Format: ASN | IP | Timestamp (UTC) | RPC response
24940 | | 2024-10-29 06:07:36 | 100000 4 111/udp; 100000 3 111/udp; 100000 2 111/udp; 100000 4 111/udp; 100000 3 111/udp; 100000 2 111/udp;Mit freundlichen Grüßen / Kind regards
Team CERT-BundBundesamt für Sicherheit in der Informationstechnik
Federal Office for Information Security (BSI)
CERT-Bund
Godesberger Allee 87, 53175 Bonn, Germany
Cheers,
K1ngjulien