Systems Vulnerable to Participating in UDP Amplification Attacks
...
1) Uninstall NFS server, NFS client, and Portmapper (RPCbind)
Open a command-line terminal and then type the following command:
$ sudo apt-get --purge remove nfs-kernel-server nfs-common rpcbind
2) Portmap Lockdown via TCP Wrapper
**Note**
Solaris system TCP Wrappers not are enabled by default. Open a command-line terminal and enter the following commands to enable rpcbind TCP Wrappers:
# svccfg -s rpc/bind setprop config/enable_tcpwrappers=true
# svcadm refresh rpc/bind
(Continue following the instructions below)
For all other Linux systems:
Open a command-line terminal and then type the following command:
$ sudo nano /etc/hosts.allow
Add the following lines:
rpcbind: 146.6.101.0/255.255.255.0
rpcbind: 128.83.190.0/255.255.255.0
rpcbind: 129.116.100.192/255.255.255.192
rpcbind: 129.116.238.128/255.255.255.192
rpcbind: 146.6.28.64/255.255.255.192
rpcbind: 146.6.53.0/255.255.255.0
rpcbind: 146.6.177.0/255.255.255.192
rpcbind: 129.116.140.0/255.255.255.0
rpcbind: 129.116.234.0/255.255.255.0
rpcbind: 172.25.1.0/255.255.255.224
rpcbind: 206.76.64.0/255.255.192.0
rpcbind: 198.213.192.0/255.255.192.0
rpcbind: 172.29.0.0/255.255.0.0
rpcbind: 10.0.0.0/255.0.0.0
Save the changes made to the file.
Type the following command:
$ sudo nano /etc/hosts.deny
Add the following lines:
rpcbind: ALL
...
"Consider placing sensitive MFDs on their own VLAN, which may make them easier to identify and secure. It is also strongly advised to give MFDs campus-routed RFC 1918 addresses
so that they are not accessible from the Internet. It is rare that an MFD needs to be accessed from off-campus, and a VPN can be used in those instances.”