Harden PMG server

workpush

New Member
Feb 6, 2023
14
2
3
Hello!

I have a PMG-Cluster on 2 public available VPS servers and want to increase the security.
I found this:
https://github.com/killmasta93/tutorials/wiki/PMG-Harden
Most of it makes the filter rules more advanced, but I am interested in the server itself. So one thing mentioned there, would be fail2ban.

One thing I found in the `syslog`, is that many many incoming requests on the ssh service are incoming.
So I tried to modify the "/etc/ssh/sshd_config"
Code:
Port 222
PasswordAuthentication no
UsePAM no
PermitRootLogin prohibit-password
but this broke the cluster sync, because it uses rsync.

I also just had a nmap scan:
Code:
> $ nmap -p 1-35000 pmg-03.XXX.de                            
Starting Nmap 7.80 ( https://nmap.org ) at 2023-02-08 01:08 CET
Nmap scan report for pmg-03.XXX.de (45.132.XXX.XXX)
Host is up (0.038s latency).
Not shown: 34993 closed ports
PORT     STATE    SERVICE
22/tcp   open     ssh
25/tcp   open     smtp
26/tcp   open     rsftp
111/tcp  open     rpcbind
517/tcp  filtered talk
518/tcp  filtered ntalk
8006/tcp open     wpl-analytics
In the firewall settings I just could find a few of them: https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#firewall_settings
Which ports are you closing? What are port 111, 517 and 518 used for?

I actually don't need the API access - is it needed for a cluster? Can you disable that?

What do you do to harden your PMG server? Or would you say it is "secure" by default?
 
Last edited:
Hello.
Why do you simple don't close all ports, except 25/smtp by firewall from all, and then open only needed ports (22/ssh etc) between cluster members?
 
One thing I found in the `syslog`, is that many many incoming requests on the ssh service are incoming.
So I tried to modify the "/etc/ssh/sshd_config"
a) consider setting up fail2ban if you really want to have PMG's ssh-port available to the general internet
b) you can try to also configure /etc/ssh/ssh_config on your clusternodes to use port 222 for all your PMG hosts... - haven't tried that one explicitly but it probably would work

Which ports are you closing? What are port 111, 517 and 518 used for?
port 111 is rpcbind - if you don't use NFS you can probably simply uninstall it
517 and 518 are in state filtered - thus I assume some kind of firewall/acl on a router is preventing access to those - either configured on your premises or by your ISP...

I actually don't need the API access - is it needed for a cluster? Can you disable that?
The API also provides access to the GUI - how do you want to administrate your PMG?
and yes the API is needed for a cluster (so at least keep it accessible from the clusternodes )

I hope this helps!