All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
RPC Portmapper DDoS vulnerability correction
Kind of old news, but to this date many distributions still ship without and updated configuration to address this vulnerability. Whats worse is the general lack of publicly available information on correct configuration. NTP, DNS, SNMP all have information commonly available but not RPC based amplification (port 111)
RPC Portmapper, also referred to as rpcbind and portmap, is an Open Network Computing Remote Procedure Call (ONC RPC) service designed to map RPC service numbers to network port numbers. When RPC clients want to make a call to the Internet, Portmapper tells them which TCP or UDP port to use.
You can check if you have this service running by executing: ss -nlp | grep udp | grep rpcbind | grep ':111'
If you see a result, and its bound to 0.0.0.0 or any public address, you may be vulnerable. Most commonly you will have this installed on any non-minimal image, and any server doing NFS roles (server or client).
To mitigate against your server being used in attacks you have two options. Firstly you can configure the RPC portmap service to not accept incoming UDP connections externally, or two firewall the port. Personally I recommend option 1, its permanent and doesn't risk a later mistake of forgetting to load firewall rules.
To configure your RPC portmap service to run on 127.0.0.1 on Debian create /etc/default/rpcbind containing:
OPTIONS="-h 127.0.0.1"
And then restart rpcbind with:
service rpcbind restart
You should then be able to verify your success:
# ss -nlp | grep udp | grep rpcbind | grep ':111'
udp UNCONN 0 0 127.0.0.1:111 *:* users:(("rpcbind",pid=1347,fd=6))
udp UNCONN 0 0 ::1:111 :::* users:(("rpcbind",pid=1347,fd=11))
The internet thanks you for your co-operation.
