Portmapper servers

Received a strange e-mail from my cloud hosting provider (Vultr) today:

Dear Customer,

Recent network security audits have detected some issues on your instances. Please review the following reports and help us to ensure the security of our network:

== Portmapper servers ==
Portmapper is a service usually used with NFS. When this is not properly firewalled, it can be abused to conduct DDOS attacks. We recommend that all portmapper services be behind a firewall, and restricted to only IPs that need to contact them.

For Linux machines, please add firewall rules to block port 111 on both UDP and TCP:

iptables -I INPUT 1 -m tcp -p tcp --dport 111 -j DROP
iptables -I INPUT 1 -m udp -p udp --dport 111 -j DROP

Please see https://blog.cloudflare.com/reflections-on-reflections/ for more information on reflection attacks.

The following IPs have been detected running open portmapper servers:
XXXX - at 2018-04-03 10:23:03

Is this something used by FreePBX? What are your recommendations to correct the issue without breaking anything?

I put in the suggested iptables updates and had no issues.

If you are using the Integrated Firewall in FreePBX, you shouldn’t have a problem either way. They have access to your address since they are probably in the “local” or “trusted” network, so they could access any port on the machine with their scanner. If you want to make sure these rules permanent, you can add them either through the normal “services” tab or you can add them in the “custom rules” section.

If you are not using the Integrated Firewall, be sure to add these in a way that makes them permanent.

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.