All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
A German government agency is port-scanning servers in Germany
I bought a Hetzner AX41-NVME a few days ago with the single purpose too play with IPv6 and testing how many things I can run on IPv6-only VPSs.
I have only had time to install Proxmox VE and do some initial configuration and testing. And since it is just a test server, I left it with the firewall disabled.
This morning Hertzners abuse department forwarded the following email from the German Federal Office for Information Security (BSI) to me.
Dear Sir or Madam,
the Portmapper service (portmap, rpcbind) is required for mapping RPC
requests to a network service. The Portmapper service is needed e.g.
for mounting network shares using the Network File System (NFS).
The Portmapper service runs on port 111 tcp/udp.In addition to being abused for DDoS reflection attacks, the
Portmapper service can be used by attackers to obtain information
on the target network like available RPC services or network shares.Over the past months, systems responding to Portmapper requests from
anywhere on the Internet have been increasingly abused DDoS reflection
attacks against third parties.Please find below a list of affected systems hosted on your network.
The timestamp (timezone UTC) indicates when the openly accessible
Portmapper service was identified.We would like to ask you to check this issue and take appropriate
steps to secure the Portmapper services on the affected systems or
notify your customers accordingly.If you have recently solved the issue but received this notification
again, please note the timestamp included below. You should not
receive any further notifications with timestamps after the issue
has been solved.Additional information on this notification, advice on how to fix
reported issues and answers to frequently asked questions:
https://reports.cert-bund.de/en/This message is digitally signed using PGP.
Information on the signature key is available at:
https://reports.cert-bund.de/en/digital-signaturePlease note:
This is an automatically generated message. Replies to the
sender address reports@reports.cert-bund.de will NOT be read
but silently be discarded. In case of questions, please contact
certbund@bsi.bund.de and keep the ticket number [CB-Report#...]
of this message in the subject line.Affected systems on your network:
Format: ASN | IP | Timestamp (UTC) | RPC response
24940 | XXX.XXX.XXX.XXX | 2023-04-18 06:21:04 | 100000 4 111/udp; 100000 3 111/udp; 100000 2 111/udp; 100000 4 111/udp; 100000 3 111/udp; 100000 2 111/udp;Mit freundlichen Grüßen / Kind regards
Team CERT-BundBundesamt für Sicherheit in der Informationstechnik
Federal Office for Information Security (BSI)
Referat OC22 - CERT-Bund
Godesberger Allee 185-189, 53175 Bonn, Germany
It is kind of them to remind me to secure my server, but is this normal? Are government agencies in other countries doing the same to prevent DDoS attacks and other crimes?
Comments
That not happened in Romania
I received such email from the Finnish Transport and Communications org. They sent alerts if your Finnish IP connects to a malware honeypot.
Yes, I’ve seen abuse reports from State of Missouri government department, university laboratories, etc.
The Dutch "Digital Trust Centre" started doing this too - sadly, another mail address to block in our mailservers, next to the commonly known CERT-BUND spam.
We get these emails every day too. It seems they're scanning our customers' servers because our IPs are associated with our German company.
Sure, in Poland our cert departament, too scanning like this type of services and outdated IPMI, services who's should be in private network.
yeah, thats pretty much normal, german bsi does this for at least servers in DACH, i remember receveiving those for like 5 years now, usally if one of my clients "forgets" to patch his exchange or exposes unpatched rdp servers
dont blame them, blame yourself/your customers for lack of competence
And we receive those emails daily on the OVH server, but it's even more fascinating to see how many scans you have on the network from other entities, less governmental and more malicious:)
The are most likely acting on the results of Shadowserver scans for select open ports or services identified as potentially problematic (e.g., RPC, TELNET) in their country. You may similar things from other country-wide incident response teams like those in Spain and Canada for example. It is not just governments, many ISPs around the globe will subscribe to network-based scan results and alert customers. It is not uncommon.
But we have it in Romania too. We receive almost identical emails from DNSC/CERT. They even notify us of servers that have browseable/open web directories.
The NCSC has done this in the past in the UK too, as far as I know they still do it
That's not an excuse.
If you want to test something without bothering anyone else, you should do it in a test environment and not unprotected and accessible for everyone on the public internet.
The UK does this, too:
https://lowendbox.com/blog/getting-scans-from-18-171-7-246-and-35-177-10-231-its-the-uk-government/
All normal countries do this.
And many abnormal ones.
They've been doing this for years, I probably have hundreds or thousands of those emails from when we used to use Hetzner IP ranges for our customers (or even now for our private clients)
More governments like UK (as pointed out before) are starting to do this. You can follow their advice and secure your ports or whatnot, but it is also fine to ignore.