[SOLVED] Do we Need these services ksmtuned rpcbind on proxmox 7.1.10 ?

[Spirog]

Hello I am wondering if these 2 services are needed.
I have Debian 11 and PVE 7.1.10 installed on 1 server and have 3 vm's only.

proxmox-ve: 7.1-1 (running kernel: 5.13.19-4-pve)
pve-manager: 7.1-10 (running version: 7.1-10/6ddebafe)
pve-kernel-helper: 7.1-12
pve-kernel-5.13: 7.1-7
pve-kernel-5.4: 6.4-11
pve-kernel-5.13.19-4-pve: 5.13.19-9
pve-kernel-5.13.19-3-pve: 5.13.19-7
pve-kernel-5.13.19-2-pve: 5.13.19-4
pve-kernel-5.4.157-1-pve: 5.4.157-1
pve-kernel-5.4.73-1-pve: 5.4.73-1
ceph-fuse: 15.2.15-pve1
corosync: 3.1.5-pve2
criu: 3.15-1+pve-1
glusterfs-client: 9.2-1
ifupdown: 0.8.36+pve1
ksm-control-daemon: 1.4-1
libjs-extjs: 7.0.0-1
libknet1: 1.22-pve2
libproxmox-acme-perl: 1.4.1
libproxmox-backup-qemu0: 1.2.0-1
libpve-access-control: 7.1-6
libpve-apiclient-perl: 3.2-1
libpve-common-perl: 7.1-3
libpve-guest-common-perl: 4.1-1
libpve-http-server-perl: 4.1-1
libpve-storage-perl: 7.1-1
libqb0: 1.0.5-1
libspice-server1: 0.14.3-2.1
lvm2: 2.03.11-2.1
lxc-pve: 4.0.11-1
lxcfs: 4.0.11-pve1
novnc-pve: 1.3.0-2
proxmox-backup-client: 2.1.5-1
proxmox-backup-file-restore: 2.1.5-1
proxmox-mini-journalreader: 1.3-1
proxmox-widget-toolkit: 3.4-6
pve-cluster: 7.1-3
pve-container: 4.1-4
pve-docs: 7.1-2
pve-edk2-firmware: 3.20210831-2
pve-firewall: 4.2-5
pve-firmware: 3.3-5
pve-ha-manager: 3.3-3
pve-i18n: 2.6-2
pve-qemu-kvm: 6.1.1-2
pve-xtermjs: 4.16.0-1
qemu-server: 7.1-4
smartmontools: 7.2-pve2
spiceterm: 3.2-2
swtpm: 0.7.0~rc1+2
vncterm: 1.7-1
zfsutils-linux: 2.1.2-pve1

this is a server I rent and am able to login to gui via my ip address example https://50.xx.143.xx:8006

I have installed a Firewall product (CSF Configserver Firewall) that gave me this message below
Just wondering if I can stop and disable them or if they are needed.

On most servers the following services are not needed and should be stopped and disabled from starting unless used:
ksmtuned,rpcbind

Each service can usually be disabled using:
/bin/systemctl stop [service]
/bin/systemctl disable [service]

Thanks in advance for anyone who can help me get the correct answer

Spiro

 

[Dunuin]

Without ksmtuned you can't use KSM so you would not get RAM deduplication which PVE uses by default. Not sure about the rpcbind.

 

[LnxBil]

Not sure about the rpcbind.

rpcbind is necessary for NFS. Better to configure the PVE firewall to block everything and just enable what you need.

I have installed a Firewall product (CSF Configserver Firewall) that gave me this message below

Did you install this on the PVE host itself? If so, why???

 

[Spirog]

rpcbind is necessary for NFS. Better to configure the PVE firewall to block everything and just enable what you need.


Did you install this on the PVE host itself? If so, why???

Hello thanks for the reply.
I was getting attacked and this is the only firewall that I use on my cPanel vms. It’s out of the box a well known firewall that was easy for me to understand. With its own UI that has a lot of features with good description of each feature.
I guess I could just pay someone to setup pve firewall to protect my pve host.? Or watch a good video. If there are any.

Do you have any good video links to setup and protect pve host. I learn better from watching someone do things than reading and doing.

Kind regards
SPIRO

 

[Dunuin]

Wouldn't be a bad idea to learn how a OPNsense/pfsense works and put a OPNsense/pfsense VM between the Internet and your other VMs. They also got plugins for Intrusion Prevention Systems and so on to actively block attackers. Not that easy to create a safe configuration with all of the features it offers (and it will allow you do very stupid/unsecure things without complaining) but everything can be done using the webUI and all is well documented.

 

[LnxBil]

*sense stuff is good but you have to pass all traffic through it which is especially for the PVE host itself a little bit of work. For everything else, it works great.

For the PVE host itself, just use PVE firewall it's built in and does already a good job: Just block everything to your PVE host and enable what you need (SSH and 8006). Best to use a static IP from which your operate on, so that you can just enable the IP. On the forums are a lot of posts about securing your environment. For me, I use VPN, fixed source IP addresses and knock for opening from other IPs. Your mileage may vary.

 

[Spirog]

Wouldn't be a bad idea to learn how a OPNsense/fspsense works and put a OPNsense/pfsense VM between the Internet and your other VMs. They also got plugins for Intrusion Prevention Systems and so on to actively block attackers.

Will read on this and watch a few YouTube videos on how it works etc. thanks

 

[Spirog]

*sense stuff is good but you have to pass all traffic through it which is especially for the PVE host itself a little bit of work. For everything else, it works great.

For the PVE host itself, just use PVE firewall it's built in and does already a good job: Just block everything to your PVE host and enable what you need (SSH and 8006). Best to use a static IP from which your operate on, so that you can just enable the IP. On the forums are a lot of posts about securing your environment. For me, I use VPN, fixed source IP addresses and knock for opening from other IPs. Your mileage may vary.

I will try this and disable the other csf fire wall and see how it works.
Quick question just to confirm.

1. If I block everything except for 8006 and set my static ip in pve firewall, then I use the webgui for logging into the host proxmox. If I block ssh 22 totally and turn off root login to permitrootlogin to NO
Will I be able to use noVNC terminal when logged into proxmox 8006 for ssh? Or is this blocked as well when blocking port in pve firewall. ?

2. Will I still be able to get updates when going to webhui host >proxmox >updates from the repositories. Or is there a rule I need to make in pve firewall to allow the updates as well ?

 

[Dunuin]

I will try this and disable the other csf fire wall and see how it works.
Quick question just to confirm.

1. If I block everything except for 8006 and set my static ip in pve firewall, then I use the webgui for logging into the host proxmox. If I block ssh 22 totally and turn off root login to permitrootlogin to NO
Will I be able to use noVNC terminal when logged into proxmox 8006 for ssh? Or is this blocked as well when blocking port in pve firewall. ?

If you want to use VNC you need to open the incoming port. Ports PVE uses are described here: https://pve.proxmox.com/wiki/Firewall#_ports_used_by_proxmox_ve
Make sure you don't lock yourself out. For example if you ISP gives you a dynamic IP and you setup that only connection from your IP should be allowed.

2. Will I still be able to get updates when going to webhui host >proxmox >updates from the repositories. Or is there a rule I need to make in pve firewall to allow the updates as well ?

If you don't tell the firewall to drop outgoing traffic everything is allowed to go outside so updaing should be a problem.

 

[Spirog]

If you want to use VNC you need to open the incoming port. Ports PVE uses are described here: https://pve.proxmox.com/wiki/Firewall#_ports_used_by_proxmox_ve
Make sure you don't lock yourself out. For example if you ISP gives you a dynamic IP and you setup that only connection from your IP should be allowed.

If you don't tell the firewall to drop outgoing traffic everything is allowed to go outside so updaing should be a problem.

Ok. Thank you both for your help today. I totally appreciate it. That’s for sure.
Ow on to more reading and trying things out. Have a wonderful weekend
Kind Regards,
SPIRO

 

[Spirog]

Wouldn't be a bad idea to learn how a OPNsense/pfsense works and put a OPNsense/pfsense VM between the Internet and your other VMs. They also got plugins for Intrusion Prevention Systems and so on to actively block attackers. Not that easy to create a safe configuration with all of the features it offers (and it will allow you do very stupid/unsecure things without complaining) but everything can be done using the webUI and all is well documented.

Thank you kindly for your replies and help. Have a great weekend I appreciate your help and replies.
Kind Regards
SPIRO

 

[rspowell]

https://pve.proxmox.com/pve-docs/pve-admin-guide.html#_ports_used_by_proxmox_ve