Harden PMG server

W

workpush

New Member
Feb 6, 2023
14
1
3
Hello!

I have a PMG-Cluster on 2 public available VPS servers and want to increase the security.
I found this:
https://github.com/killmasta93/tutorials/wiki/PMG-Harden
Most of it makes the filter rules more advanced, but I am interested in the server itself. So one thing mentioned there, would be fail2ban.

One thing I found in the `syslog`, is that many many incoming requests on the ssh service are incoming.
So I tried to modify the "/etc/ssh/sshd_config"
Code: 
Port 222
PasswordAuthentication no
UsePAM no
PermitRootLogin prohibit-password
but this broke the cluster sync, because it uses rsync.

I also just had a nmap scan:
Code: 
> $ nmap -p 1-35000 pmg-03.XXX.de                            
Starting Nmap 7.80 ( https://nmap.org ) at 2023-02-08 01:08 CET
Nmap scan report for pmg-03.XXX.de (45.132.XXX.XXX)
Host is up (0.038s latency).
Not shown: 34993 closed ports
PORT     STATE    SERVICE
22/tcp   open     ssh
25/tcp   open     smtp
26/tcp   open     rsftp
111/tcp  open     rpcbind
517/tcp  filtered talk
518/tcp  filtered ntalk
8006/tcp open     wpl-analytics
In the firewall settings I just could find a few of them: https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#firewall_settings
Which ports are you closing? What are port 111, 517 and 518 used for?

I actually don't need the API access - is it needed for a cluster? Can you disable that?

What do you do to harden your PMG server? Or would you say it is "secure" by default?
 
Last edited:
Hello.
Why do you simple don't close all ports, except 25/smtp by firewall from all, and then open only needed ports (22/ssh etc) between cluster members?
 
workpush said:
One thing I found in the `syslog`, is that many many incoming requests on the ssh service are incoming.
So I tried to modify the "/etc/ssh/sshd_config"
Click to expand...
a) consider setting up fail2ban if you really want to have PMG's ssh-port available to the general internet
b) you can try to also configure /etc/ssh/ssh_config on your clusternodes to use port 222 for all your PMG hosts... - haven't tried that one explicitly but it probably would work

workpush said:
Which ports are you closing? What are port 111, 517 and 518 used for?
Click to expand...
port 111 is rpcbind - if you don't use NFS you can probably simply uninstall it
517 and 518 are in state filtered - thus I assume some kind of firewall/acl on a router is preventing access to those - either configured on your premises or by your ISP...

workpush said:
I actually don't need the API access - is it needed for a cluster? Can you disable that?
Click to expand...
The API also provides access to the GUI - how do you want to administrate your PMG?
and yes the API is needed for a cluster (so at least keep it accessible from the clusternodes )

I hope this helps!
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back