• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Resolved Email from BSI about Netbios

Ankebut

Regular Pleskian
Hello,

i have today receive a email from Federal Office for Security Information Technology Germany that write me following text below, how can i do to resolve this problem?

Dear Sir or Madam,

NetBIOS defines a software interface and a naming convention.
NetBIOS over TCP/IP provides the NetBIOS programming interface
over the TCP/IP protocol.

Over the past months, systems responding to NetBIOS nameservice
requests from anywhere on the Internet have been increasingly
abused for DDoS reflection attacks against third parties.
The NetBIOS nameservice uses port 137/udp.

Please find below a list of affected systems hosted on your network.
The timestamp (timezone UTC) indicates when the openly accessible
NetBIOS nameservice was identified.

We would like to ask you to check this issue and take appropriate
steps to secure the NetBIOS nameservices services on the affected
systems or notify your customers accordingly.

If you have recently solved the issue but received this notification
again, please note the timestamp included below. You should not
receive any further notifications with timestamps after the issue
has been solved.

Additional information on this notification, advice on how to fix
reported issues and answers to frequently asked questions:
<BSI - CERT-Bund Reports>

This message is digitally signed using PGP. Information on the
signature key is available at the aforementioned URL.

Please note:
This is an automatically generated message. Replies to the
sender address <[email protected]> will NOT be read
but silently be discarded. In case of questions, please contact
<[email protected]> and keep the ticket number [CB-Report#...]
of this message in the subject line.

!! Please make sure to consult our HOWTOs and FAQ available at
!! <BSI - CERT-Bund Reports> first.
 
Hi Ankebut,

pls. contact YOUR server provider, if you have issues / problems when configuring your server. The message already contains HELP - links how you are able to solve your security issues on your server
Additional information on this notification, advice on how to fix
reported issues and answers to frequently asked questions:
<BSI - CERT-Bund Reports>
... and the german law includes the immidiate blocking of your IP(s), if you don't follow to secure your server within the given time. Your server provider received an abuse - eMail for your IP(s), so they are already informed as you are and will certainly assist you here. ;)
 
thx for fast reply...

here is whole email and there is my IP adress listed :(

Sehr geehrte(r) Frau xxx,

wir haben einen Sicherheitshinweis vom Bundesamt für Sicherheit in der Informationstechnik (BSI) erhalten.
Bitte beachten Sie die Originalmeldung ganz unten.

Die Weiterleitung dieser Beschwerde dient nur als Information für Sie.
Wir erwarten bezüglich dieser Beschwerde keine Rückmeldung Ihrerseits.
Wir bitten jedoch darum, der Meldung nachzugehen und evtl. Probleme zu beheben.

Bei weiteren Fragen bitte [email protected] kontaktieren oder falls Sie der Meinung sind, dass das Problem
bereits behoben ist oder nicht besteht (bitte nicht an [email protected] schreiben, da Emails an diese
Adresse nicht gelesen werden) und darum bitten, dass Sie aus der Mailing-Liste entfernt werden.

Mit freundlichen Grüßen

Abuse-Team

On 20 May 10:45, [email protected] wrote:
[English version below]

Sehr geehrte Damen und Herren,

NetBIOS ist eine Programmierschnittstelle zur Kommunikation zwischen
Programmen ber ein lokales Netzwerk. NetBIOS over TCP/IP ist ein
Netzwerkprotokoll, das es ermglicht, auf der Programmierschnittstelle
NetBIOS aufbauende Programme ber das Netzwerkprotokoll TCP/IP zu
verwenden.

In den letzten Monaten wurden Systeme, welche Anfragen an NetBIOS-
Namensdienste aus dem Internet beantworten, zunehmend zur Durchfhrung
von DDoS-Reflection-Angriffen gegen IT-Systeme Dritter missbraucht.
Der NetBIOS-Namensdienst verwendet Port 137/udp.

Nachfolgend senden wir Ihnen eine Liste betroffener Systeme in Ihrem
Netzbereich. Der Zeitstempel (Zeitzone UTC) gibt an, wann der offene
NetBIOS-Namensdienst identifiziert wurde.

Wir mchten Sie bitten, den Sachverhalt zu prfen und Manahmen zur
Absicherung der NetBIOS-Namensdienste auf den betroffenen Systemen
zu ergreifen bzw. Ihre Kunden entsprechend zu informieren.

Falls Sie krzlich bereits Gegenmanahmen getroffen haben und diese
Benachrichtigung erneut erhalten, beachten Sie bitten den angegebenen
Zeitstempel. Wurde die Gegenmanahme erfolgreich umgesetzt, sollten
Sie keine Benachrichtigung mit einem Zeitstempel nach der Umsetzung
mehr erhalten.

Weitere Informationen zu dieser Benachrichtigung, Hinweise zur
Behebung gemeldeter Sicherheitsprobleme sowie Antworten auf hufig
gestellte Fragen finden Sie unter:
<BSI - CERT-Bund Reports>

Diese E-Mail ist mittels PGP digital signiert. Informationen zu dem
verwendeten Schlssel finden Sie unter vorgenannter URL.

Bitte beachten Sie:
Dies ist eine automatisch generierte Nachricht. Antworten an die
Absenderadresse <[email protected]> werden NICHT gelesen
und automatisch verworfen. Bei Rckfragen wenden Sie sich bitte
unter Beibehaltung der Ticketnummer [CB-Report#...] in der
Betreffzeile an <[email protected]>.

!! Bitte lesen Sie zunchst unsere HOWTOs und FAQ, welche unter
!! <BSI - CERT-Bund Reports> verfgbar sind.

======================================================================

Dear Sir or Madam,

NetBIOS defines a software interface and a naming convention.
NetBIOS over TCP/IP provides the NetBIOS programming interface
over the TCP/IP protocol.

Over the past months, systems responding to NetBIOS nameservice
requests from anywhere on the Internet have been increasingly
abused for DDoS reflection attacks against third parties.
The NetBIOS nameservice uses port 137/udp.

Please find below a list of affected systems hosted on your network.
The timestamp (timezone UTC) indicates when the openly accessible
NetBIOS nameservice was identified.

We would like to ask you to check this issue and take appropriate
steps to secure the NetBIOS nameservices services on the affected
systems or notify your customers accordingly.

If you have recently solved the issue but received this notification
again, please note the timestamp included below. You should not
receive any further notifications with timestamps after the issue
has been solved.

Additional information on this notification, advice on how to fix
reported issues and answers to frequently asked questions:
<BSI - CERT-Bund Reports>

This message is digitally signed using PGP. Information on the
signature key is available at the aforementioned URL.

Please note:
This is an automatically generated message. Replies to the
sender address <[email protected]> will NOT be read
but silently be discarded. In case of questions, please contact
<[email protected]> and keep the ticket number [CB-Report#...]
of this message in the subject line.

!! Please make sure to consult our HOWTOs and FAQ available at
!! <BSI - CERT-Bund Reports> first.

======================================================================

Betroffene Systeme in Ihrem Netzbereich:
Affected systems on your network:

Format: ASN | IP address | Timestamp (UTC) | Workgroup name | Machine name
24940 | 148.251.246.48 | 2017-05-18 01:53:12 | WORKGROUP | SERVER

Mit freundlichen Gren / Kind regards
Team CERT-Bund

Bundesamt fr Sicherheit in der Informationstechnik (BSI)
Federal Office for Information Security
Referat CK22 - CERT-Bund
Godesberger Allee 185-189, D-53175 Bonn, Germany
 
as the email states your server has an open port at 137/udp. Install the Plesk firewall extension, activate it and make sure the rule "Samba (file sharing in Windows networks) Deny incoming from all" is active.
 
Back
Top