Network security issue: Portmapper servers

dfoy

I continue to get the following alert from my ISP (Vultr.com, where shared servers are called "instances")
[begin quote]
...
Recent network security audits have detected some issues on your instances. Please review the following reports and help us to ensure the security of our network:
== Portmapper servers ==
Portmapper is a service usually used with NFS. When this is not properly firewalled, it can be abused to conduct DDOS attacks. We recommend that all portmapper services be behind a firewall, and restricted to only IPs that need to contact them.
For Linux machines, please add firewall rules to block port 111 on both UDP and TCP:

iptables -I INPUT 1 -m tcp -p tcp --dport 111 -j DROP
iptables -I INPUT 1 -m udp -p udp --dport 111 -j DROP

Please see https://blog.cloudflare.com/reflections-on-reflections/ for more information on reflection attacks.

The following IPs have been detected running open portmapper servers:
[my cloudron IP was shown here]
If you believe these reports to be false positives, please let us know.

[end of quote]

How should I address this?

girish

@dfoy Cloudron does not install NFS server and there should be nothing in port 111. Even if NFS package was installed and server is running, Cloudron firewall does not open port 111.

Did you install NFS on your server by any chance ? Are you able to connect with telnet <server-ip> 111 ? Otherwise, this looks like a false positive.

dfoy

@girish Thanks. I'll take this up with Vultr.
David Foy

girish

@dfoy yes, let us know what they say. Happy to make fixes, if any needed.