User Tools

Site Tools


Incident/abuse reports

When IP addresses from our network are the source of spam or are attacking other systems, we often receive abuse notices. We're forwarding these notices to individual members who should then secure their VPS. The notices may also be precautionary when services which are known to be exploitable are available from the public Internet.


Portmapper, or rpcbind, is a part of NFSv3. You have it running most likely because you're using NAS. Portmapper is used by the NFS client to discover which ports on the NFS server should it connect to. rpcbind shouldn't be available from the public Internet, as it is often used in amplification attacks. rpcbind's response is much larger than the initial request, which the attacker uses to overwhelm the victim.

Portmapper listens on port 111. We can block it, but we must allow existing connections:

iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

iptables -A INPUT -p tcp --dport 111 -j DROP
iptables -A INPUT -p udp --dport 111 -j DROP

ip6tables -A INPUT -p tcp --dport 111 -j DROP
ip6tables -A INPUT -p udp --dport 111 -j DROP

Note that iptables rules configured like this will be lost when the VPS is restarted. For these rules to be persistent, consult your distribution's documentation.


memcached is often used for amplification attacks. The attacker uses your memcached server to send responses to victims, as the response is much larger than the attacker's request. If you're using memcached only locally, it is best to have it listen only on localhost. In case you're using memcached from multiple VPS, secure it using the firewall to not be available from the public Internet.

manuals/vps/incidents.txt · Last modified: 2023/08/14 21:13 by Aither