I am using a server with centos 7 running kvm/virtualization, I access using VNC server.
Today I received an warning about my server being used to attack other server using port 111, I am completely lost. My password for the server is very very hard, I doubt someone could force it in years… the problem is, I need to protect, Is it possible to disable this port ? Do I need it ? I used
netstat -l
while on the machine and didn't see any 111 occurrence, so if I block, Can I still log into the machine and keep working ? If yes, how can I do this ? I tried this
iptables -A INPUT -p tcp -s! 192.168.0.0/24 --dport 111 -j DROP iptables -A INPUT -p tcp -s 127.0.0.1 --dport 111 -j ACCEPT
but didn't work, output:
Bad argument `192.168.0.0/24'
Is there a way to block it, or make it only usable to my local network/localhost (if block will block the server access)?
The warning I received:
A public-facing device on your network, running on IP address (IP ADDRESS), operates a RPC port mapping service responding on UDP port 111 and participated in a large-scale attack against a customer of ours, generating responses to spoofed requests that claimed to be from the attack target.
Please consider reconfiguring this server in one or more of these ways:
- Adding a firewall rule to block all access to this host's UDP port 111 at your network edge (it would continue to be available on TCP port 111 in this case).
- Adding firewall rules to allow connections to this service (on UDP port 111) from authorized endpoints but block connections from all other hosts.
- Disabling the port mapping service entirely (if it is not needed).
I am not using any firewall.
Best Answer
You are a little wrong with iptables command. Try this:
This will allow connections to port 111 from localhost (127.0.0.1) and from network 192.168.0.0. All other connections will be dropped.
Note, your warning recommends to block UDP, not TCP. I replaced protocol in example.