nikone
Команда форуму
Модератор
- Реєстрація
- 25.02.2016
- Повідомлення
- 242
- Репутація
- 28
- Вік
- 39
Сегодня получил абузу от хетзнера. Следующего содержания:
Увидев заголовок письма немного поднапрягся, так как никакой спам с сервера не рассылаю. Немного углубился в тему понял, что есть такая служба Portmapper которая в большинстве случае не нужна обычным вебмастерам, но она по умолчанию включена в современные дистрибутивы Linux и которая висит на порте 111, который часто доступен из вне. Вот это могут использовать злоумышленники для ддос атак, что скорее всего произошло и в моем случае.
Здесь есть 3 решения этого вопроса:
Для начала нужно определить, открыт ли 111 порт:
Если в выводе, как в примере выше есть несколько строк с LISTEN, и к 111 порту может подключиться любой желающий, следует заблаговременно предпринять меры по защите от атаки.
Отключение и удаление rpcbind или portmap
Ниже - примеры команд для отключения сервиса rpcbind (может называться portmap в некоторых системах) в различных дистрибутивах Linux: Debian 8, CentOS 7, Debian 7, CentOS 6, Debian 5 и Ubuntu.
Отключение rpcbind в Debian 8 и Centos 7
Отключение rpcbind в Debian 7 и Ubuntu
Отключение portmap в Debian 6
Для всех операционных систем производится одно и то же действие: отключение сервиса и запрет его автозапуска. После ввода команд по отключению службы RPC portmapper следует проверить 111 порт.
Теперь, при желании сэкономить немного места на диске, можно удалить сервис:
Debian 8, Debian 7 и Ubuntu
Centоs 7 и Centоs 6
Debian 6
Dear Mr Ivan Fedoriv
We have received a security alert from the German Federal Office for Information Security (BSI).
Please see the original report included below for details.
We are automatically forwarding this alert on to you, for your information.
You do not need to send us, or the BSI, a response.
However, we do ask that you check the alert and to resolve any potential issues.
Additional information is provided with the HOWTOs referenced in the report.
In case of further questions, please contact certbund@bsi.bund.de and keep the ticket number of the original report [CB-Report#...] in the subject line. Do not reply to <reports@reports.cert-bund.de> as this is just the sender address for the reports and messages sent to this address will not be read.
Kind regards
Abuse Team
Hetzner Online GmbH
Industriestr. 25
91710 Gunzenhausen / Germany
Tel: +49 9831 5050
Fax: +49 9831 5053
Register Court: Registergericht Ansbach, HRB 6089
CEO: Martin Hetzner, Stephan Konvickova, Günther Müller
For the purposes of this communication, we may save some
of your personal data. For information on our data privacy
policy, please see: hetzner.com/datenschutzhinweis
On 31 Jul 08:56, reports@reports.cert-bund.de wrote:
> Dear Sir or Madam,
> the Portmapper service (portmap, rpcbind) is required for mapping RPC
> requests to a network service. The Portmapper service is needed e.g.
> for mounting network shares using the Network File System (NFS).
> The Portmapper service runs on port 111 tcp/udp.
> In addition to being abused for DDoS reflection attacks, the
> Portmapper service can be used by attackers to obtain information
> on the target network like available RPC services or network shares.
> Over the past months, systems responding to Portmapper requests from
> anywhere on the Internet have been increasingly abused DDoS reflection
> attacks against third parties.
> Affected systems on your network:
> Format: ASN | IP | Timestamp (UTC) | RPC response
> 24940 | 116.567.787.546 | 2020-07-30 06:55:45 | 100000 4 111/udp; 100000 3 111/udp; 100000 2 111/udp; 100000 4 111/udp; 100000 3 111/udp; 100000 2 111/udp;
> 24940 | 159.46.577.976 | 2020-07-30 07:07:53 | 100000 4 111/udp; 100000 3 111/udp; 100000 2 111/udp; 100000 4 111/udp; 100000 3 111/udp; 100000 2 111/udp;
> We would like to ask you to check this issue and take appropriate
> steps to secure the Portmapper services on the affected systems or
> notify your customers accordingly.
> If you have recently solved the issue but received this notification
> again, please note the timestamp included below. You should not
> receive any further notifications with timestamps after the issue
> has been solved.
> Additional information on this notification, advice on how to fix
> reported issues and answers to frequently asked questions:
> <reports.cert-bund.de/en/>
> This message is digitally signed using PGP.
> Information on the signature key is available at:
> <reports.cert-bund.de/en/digital-signature>
> Please note:
> This is an automatically generated message. Replies to the
> sender address <reports@reports.cert-bund.de> will NOT be read
> but silently be discarded. In case of questions, please contact
> <certbund@bsi.bund.de> and keep the ticket number [CB-Report#...]
> of this message in the subject line.
> !! Please make sure to consult our HOWTOs and FAQ available at
> !! <reports.cert-bund.de/en/> first.
> Mit freundlichen Gren / Kind regards
> Team CERT-Bund
> Bundesamt fr Sicherheit in der Informationstechnik
> Federal Office for Information Security (BSI)
> Referat OC23 - CERT-Bund
> Godesberger Allee 185-189, 53175 Bonn, Germany
We have received a security alert from the German Federal Office for Information Security (BSI).
Please see the original report included below for details.
We are automatically forwarding this alert on to you, for your information.
You do not need to send us, or the BSI, a response.
However, we do ask that you check the alert and to resolve any potential issues.
Additional information is provided with the HOWTOs referenced in the report.
In case of further questions, please contact certbund@bsi.bund.de and keep the ticket number of the original report [CB-Report#...] in the subject line. Do not reply to <reports@reports.cert-bund.de> as this is just the sender address for the reports and messages sent to this address will not be read.
Kind regards
Abuse Team
Hetzner Online GmbH
Industriestr. 25
91710 Gunzenhausen / Germany
Tel: +49 9831 5050
Fax: +49 9831 5053
Register Court: Registergericht Ansbach, HRB 6089
CEO: Martin Hetzner, Stephan Konvickova, Günther Müller
For the purposes of this communication, we may save some
of your personal data. For information on our data privacy
policy, please see: hetzner.com/datenschutzhinweis
On 31 Jul 08:56, reports@reports.cert-bund.de wrote:
> Dear Sir or Madam,
> the Portmapper service (portmap, rpcbind) is required for mapping RPC
> requests to a network service. The Portmapper service is needed e.g.
> for mounting network shares using the Network File System (NFS).
> The Portmapper service runs on port 111 tcp/udp.
> In addition to being abused for DDoS reflection attacks, the
> Portmapper service can be used by attackers to obtain information
> on the target network like available RPC services or network shares.
> Over the past months, systems responding to Portmapper requests from
> anywhere on the Internet have been increasingly abused DDoS reflection
> attacks against third parties.
> Affected systems on your network:
> Format: ASN | IP | Timestamp (UTC) | RPC response
> 24940 | 116.567.787.546 | 2020-07-30 06:55:45 | 100000 4 111/udp; 100000 3 111/udp; 100000 2 111/udp; 100000 4 111/udp; 100000 3 111/udp; 100000 2 111/udp;
> 24940 | 159.46.577.976 | 2020-07-30 07:07:53 | 100000 4 111/udp; 100000 3 111/udp; 100000 2 111/udp; 100000 4 111/udp; 100000 3 111/udp; 100000 2 111/udp;
> We would like to ask you to check this issue and take appropriate
> steps to secure the Portmapper services on the affected systems or
> notify your customers accordingly.
> If you have recently solved the issue but received this notification
> again, please note the timestamp included below. You should not
> receive any further notifications with timestamps after the issue
> has been solved.
> Additional information on this notification, advice on how to fix
> reported issues and answers to frequently asked questions:
> <reports.cert-bund.de/en/>
> This message is digitally signed using PGP.
> Information on the signature key is available at:
> <reports.cert-bund.de/en/digital-signature>
> Please note:
> This is an automatically generated message. Replies to the
> sender address <reports@reports.cert-bund.de> will NOT be read
> but silently be discarded. In case of questions, please contact
> <certbund@bsi.bund.de> and keep the ticket number [CB-Report#...]
> of this message in the subject line.
> !! Please make sure to consult our HOWTOs and FAQ available at
> !! <reports.cert-bund.de/en/> first.
> Mit freundlichen Gren / Kind regards
> Team CERT-Bund
> Bundesamt fr Sicherheit in der Informationstechnik
> Federal Office for Information Security (BSI)
> Referat OC23 - CERT-Bund
> Godesberger Allee 185-189, 53175 Bonn, Germany
Здесь есть 3 решения этого вопроса:
- Закрыть доступ к порту 111 из вне с помощью файэрвола.
- Отключить эту службу.
- Если данную службу вы не используете, то целесообразно её отключить и удалить (что я успешно и сделал).
Для начала нужно определить, открыт ли 111 порт:
Код:
# lsof -i:111
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
systemd 1 root 38u IPv6 525138 0t0 TCP *:sunrpc (LISTEN)
systemd 1 root 46u IPv4 525139 0t0 TCP *:sunrpc (LISTEN)
rpcbind 15801 rpc 4u IPv6 525138 0t0 TCP *:sunrpc (LISTEN)
rpcbind 15801 rpc 5u IPv4 525139 0t0 TCP *:sunrpc (LISTEN)
rpcbind 15801 rpc 8u IPv4 1026896 0t0 UDP *:sunrpc
rpcbind 15801 rpc 10u IPv6 1021461 0t0 UDP *:sunrpc
Отключение и удаление rpcbind или portmap
Ниже - примеры команд для отключения сервиса rpcbind (может называться portmap в некоторых системах) в различных дистрибутивах Linux: Debian 8, CentOS 7, Debian 7, CentOS 6, Debian 5 и Ubuntu.
Отключение rpcbind в Debian 8 и Centos 7
Код:
# systemctl stop rpcbind
# systemctl disable rpcbind
Код:
# /etc/init.d/rpcbind stop
# update-rc.d -f rpcbind remov
Код:
# /etc/init.d/portmap stop
# update-rc.d -f portmap remove
Теперь, при желании сэкономить немного места на диске, можно удалить сервис:
Debian 8, Debian 7 и Ubuntu
Код:
# apt-get remove rpcbind
Код:
# yum remove rpcbind
Код:
# apt-get remove portmap