Server Security - please help :(


#1

Hello!

Since switching to Hetzner I haven’t been using ufw - I figured that any open services would be ones I wanted to use. I was wrong…

I received this email today:

Dear Sir or Madam,

the Simple Service Discovery Protocol (SSDP) is a network protocol
for advertisement and discovery of network services and presence
information. SSDP is the basis of the discovery protocol of
Universal Plug and Play (UPnP). SSDP uses port 1900/udp.

Over the past months, systems responding to SSDP requests from
anywhere on the Internet have been increasingly abused for DDoS
reflection attacks against third parties.

Please find below a list of affected systems hosted on your network.
The timestamp (timezone UTC) indicates when the openly accessible
SSDP server was identified.

We would like to ask you to check this issue and take appropriate
steps to secure the SSDP services on the affected systems or
notify your customers accordingly.

If you have recently solved the issue but received this notification
again, please note the timestamp included below. You should not
receive any further notifications with timestamps after the issue
has been solved.

Additional information on this notification, advice on how to fix
reported issues and answers to frequently asked questions:
https://reports.cert-bund.de/en/

This message is digitally signed using PGP. Information on the
signature key is available at the aforementioned URL.

Please note:
This is an automatically generated message.
Replying to the sender address is not possible.
In case of questions, please contact [email protected]
keeping the ticket number of this message in the subject line.

!! Please make sure to consult our HOWTOs and FAQ available at
!! https://reports.cert-bund.de/en/ first.

Yikes!

So… does anybody know:
a) how to check if the port was actually used for DDOS
b) what is the port open for in the first place?
c) if there’s a way to monitor / keep an eye on this stuff for the future?

As always, thanks for sharing your experience :slight_smile:


Hetzner Abuse Message
#2

Reddit user got one too for a diff port.

sudo netstat -pln|grep 1900
or
sudo netstat -pln

will show you the listening ports and what app is using it.

Edit again: It’s probably plex…
Check that DLNA and GDM are disabled in plex.


#3

Bingo!


#4

Yea this is common.


#5

got 100s of those mails from Hetzner so just ignore them!