Today I received abuse notification from the Hetzner about some problems with the open ports on one of my servers. The message started like the next: We have received a notification from the German Federal Office for Information Security (BSI) for (the IP address of) a server you have with us. We are automatically forwarding this notification on to you, for your information.
Full message
Dear Mr PHP Developer
We have received a notification from the German Federal Office for Information Security (BSI) for (the IP address of) a server you have with us. We are automatically forwarding this notification on to you, for your information.
The original report has been included below. Additional information is provided with the how-to guides referenced in the report. Please note that we do not have any further information to share.
These notifications do not mean your server was involved in any abusive activity. They are simply alerting you to a potential issue on your server, that could be exploited, and that is usually fairly easy to secure.
You do not need to send us, or the BSI, a response.
In case of further questions, please contact certbund@bsi.bund.de and keep the ticket number of the original report [CB-Report#…] in the subject line. Do not reply to reports@reports.cert-bund.de as this is just the sender address for the reports and messages sent to this address will not be read.
Kind regards
Abuse Team
Hetzner Online GmbH
Industriestr. 25
91710 Gunzenhausen / Germany
Tel: +49 9831 5050
Fax: +49 9831 5053
www.hetzner.comRegister Court: Registergericht Ansbach, HRB 6089
CEO: Martin Hetzner, Stephan Konvickova, Günther MüllerFor the purposes of this communication, we may save some
of your personal data. For information on our data privacy
policy, please see: www.hetzner.com/privacy-policy-noticeYou have the option to file a complaint against a decision that is unfavorable to you.
Please reply to this ticket to do so. If a final decision has been made, you may also
file a complaint via info@hetzner.com.
We are neither willing nor obligated to participate in dispute resolution proceedings
before a consumer arbitration board.Dear Sir or Madam,
the Portmapper service (portmap, rpcbind) is required for mapping RPC
requests to a network service. The Portmapper service is needed e.g.
for mounting network shares using the Network File System (NFS).
The Portmapper service runs on port 111 tcp/udp.In addition to being abused for DDoS reflection attacks, the
Portmapper service can be used by attackers to obtain information
on the target network like available RPC services or network shares.Over the past months, systems responding to Portmapper requests from
anywhere on the Internet have been increasingly abused DDoS reflection
attacks against third parties.Please find below a list of affected systems hosted on your network.
The timestamp (timezone UTC) indicates when the openly accessible
Portmapper service was identified.We would like to ask you to check this issue and take appropriate
steps to secure the Portmapper services on the affected systems or
notify your customers accordingly.If you have recently solved the issue but received this notification
again, please note the timestamp included below. You should not
receive any further notifications with timestamps after the issue
has been solved.Additional information on this notification, advice on how to fix
reported issues and answers to frequently asked questions:
https://reports.cert-bund.de/en/This message is digitally signed using PGP.
Information on the signature key is available at:
https://reports.cert-bund.de/en/digital-signaturePlease note:
This is an automatically generated message. Replies to the
sender address reports@reports.cert-bund.de will NOT be read
but silently be discarded. In case of questions, please contact
certbund@bsi.bund.de and keep the ticket number [CB-Report#…]
of this message in the subject line.Affected systems on your network:
Format: ASN | IP | Timestamp (UTC) | RPC response
xxxxx | xxx.xxx.xxx.xxx | 2026-06-23 09:32:22 | 100000 4 111/udp; 100000 3 111/udp; 100000 2 111/udp; 100000 4 111/udp; 100000 3 111/udp; 100000 2 111/udp; 100005 1 20048/udp; 100005 1 20048/udp; 100005 2 20048/udp; 100005 2 20048/udp; 100005 3 20048/udp; 100005 3 20048/udp; 100024 1 59664/udp; 100024 1 50267/udp; 100003 3 2049/udp; 100003 4 2049/udp; 100227 3 2049/udp; 100021 1 42772/udp; 100021 3 42772/udp; 100021 4 42772/udp; 100021 1 46063/udp; 100021 3 46063/udp; 100021 4 46063/udp;Mit freundlichen Grüßen / Kind regards
Team CERT-BundBundesamt für Sicherheit in der Informationstechnik
Federal Office for Information Security (BSI)
CERT-Bund
Godesberger Allee 87, 53175 Bonn, Germany
So my server which I used for the NFS shares has unportected ports, and can be potentialy used for the requests redirects and as a result can be a partof DDOS attacks.
You can check that your ports are really opened with the rpcinfo utility
$ sudo apt install rpcbind
$ rpcinfo -p 111.22.111.22
program vers proto port service
100000 4 tcp 111 portmapper
100000 3 tcp 111 portmapper
100000 2 tcp 111 portmapper
100000 4 udp 111 portmapper
100000 3 udp 111 portmapper
100000 2 udp 111 portmapper
100005 1 udp 20048 mountd
100005 1 tcp 20048 mountd
100005 2 udp 20048 mountd
100005 2 tcp 20048 mountd
100005 3 udp 20048 mountd
100005 3 tcp 20048 mountd
100024 1 udp 59664 status
100024 1 tcp 50267 status
100003 3 tcp 2049 nfs
100003 4 tcp 2049 nfs
100227 3 tcp 2049 nfs_acl
100021 1 udp 42772 nlockmgr
100021 3 udp 42772 nlockmgr
100021 4 udp 42772 nlockmgr
100021 1 tcp 46063 nlockmgr
100021 3 tcp 46063 nlockmgr
100021 4 tcp 46063 nlockmgr
Or with the nmap
$ sudo apt install nmap
$ sudo nmap -sUT -p 111.22.111.22
Starting Nmap 7.98 ( https://nmap.org ) at 2026-06-24 12:57 +0200
Nmap scan report for 111.22.111.22
Host is up (0.026s latency).
PORT STATE SERVICE
111/tcp open rpcbind
111/udp open rpcbind
The solution here is simple – we justneed to protect this ports from the external access.
Tou can do this with the iptables, here is a basic example where we allow access from a certain ports and drop everything else
## allow internal traffic
iptables -A INPUT -i lo -j ACCEPT
## allow established traffic
iptables -A INPUT -m conntrack -j ACCEPT --ctstate RELATED,ESTABLISHED
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
## allow HTTP traffic
iptables -A INPUT -p tcp -m tcp -m multiport --dports 80,443 -j ACCEPT
## allow MySQL traffic (allowed only from 111.22.111.22)
iptables -A INPUT -p tcp -s 111.22.111.22 --dport 3306 -j ACCEPT
# NFS Server access (allowed only from 111.22.111.22)
iptables -A INPUT -p tcp -s 111.22.111.22 --dport 111 -j ACCEPT
iptables -A INPUT -p tcp -s 111.22.111.22 --dport 2049 -j ACCEPT
iptables -A INPUT -p tcp -s 111.22.111.22 --dport 20048 -j ACCEPT
iptables -A INPUT -p udp -s 111.22.111.22 --dport 111 -j ACCEPT
iptables -A INPUT -p udp -s 111.22.111.22 --dport 2049 -j ACCEPT
iptables -A INPUT -p udp -s 111.22.111.22 --dport 20048 -j ACCEPT
## allow SSH incoming traffic
iptables -A INPUT -p tcp --dport 22122 -j ACCEPT
## allow ping
iptables -A INPUT -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED -j ACCEPT
## block anything other
iptables -A INPUT -j DROP
To check the rules
iptables -L -vTo clear all the rules
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -t raw -F
iptables -t raw -X
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
echo ""
echo "All rules deleted =========================================="
echo ""
iptables -L -v
After that you can validate that your ports are closed with the same utilities
rpcinfo
$ rpcinfo -p 111.22.111.22
111.22.111.22: RPC: Remote system error - Connection timed outnmap
$ sudo nmap -sUT -p 111.22.111.22
Starting Nmap 7.98 ( https://nmap.org ) at 2026-06-24 12:28 +0200
Nmap scan report for 111.22.111.22
Host is up (0.023s latency).
PORT STATE SERVICE
111/tcp filtered rpcbind
111/udp open|filtered rpcbind
If everything Ok you probably need to save the iptables rules so the system will restore them after the reboot
service iptables saveit also makes sense to reboot the server and make sure that system will restore the rules correctly, but it depends on your possiblity to do that..
And that’s all. You don’t need to reply to Hetzner or BSI, just make sure that your server is protected now.
