How to close open port 111

wwweiss

Well-Known Member
Apr 28, 2018
31
6
48
63
I am completely new to proxmox mailgateway. Installation went like a charm, everything ist up and running on a virtual machine inside hyper-v. I am just playing around not yet really using the system.
Only two days after my installation I got some complaints form reports.cert-bund.de that this system has open port 111 (upd).
Ist it necessary to have this port open? My system is not behind a firewall, so I would like to have only necessary ports open.
Can anybody help me how to close this port without loosing needed functions?
 
Thanks for this info.
Just for some other newbies: I disabled rpc with
# service rpcbind stop
# systemctl disable rpcbind

I would suggest to disable this by default, when using the proxmox iso.
 
Got the same report just a few days after setting up the system. For sure, it's possible to disable services, which are not required, however, maybe it's better to have a firewall on the system itself (however RPC seems to be the only service not bound to localhost, which is not required but enabled/started). I used

# apt-get install ufw
# ufw enable
# ufw default deny incoming
# ufw default allow outgoing
# ufw allow ssh
# ufw allow smtp
# ufw allow 8006

Much better then was, I set up OpenVPN lateron and also closed ports 8006 and ssh from the whole internet and limited them to my VPN connection.
 
Can one of two changes be included in a future PMG release?

  • Disable rpcbind by default
  • Add a configuration knob to "Administration > Services" in the GUI/API so that it can be controlled without needing to make CLI-based changes

I wanted to surface this old thread. I noticed in a review of the documentation compared to the reality on the PMG server.

Here are the firewall settings from the documentation:
https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#firewall_settings

Here is the output of sudo ss -tulwn | grep LISTEN:
Code:
tcp   LISTEN 0      4096         0.0.0.0:111        0.0.0.0:*         
tcp   LISTEN 0      100          0.0.0.0:25         0.0.0.0:*         
tcp   LISTEN 0      100          0.0.0.0:26         0.0.0.0:*         
tcp   LISTEN 0      128          0.0.0.0:22         0.0.0.0:*         
tcp   LISTEN 0      4096       127.0.0.1:10023      0.0.0.0:*         
tcp   LISTEN 0      4096       127.0.0.1:10022      0.0.0.0:*         
tcp   LISTEN 0      100        127.0.0.1:10025      0.0.0.0:*         
tcp   LISTEN 0      4096       127.0.0.1:10024      0.0.0.0:*         
tcp   LISTEN 0      244        127.0.0.1:5432       0.0.0.0:*         
tcp   LISTEN 0      4096       127.0.0.1:85         0.0.0.0:*         
tcp   LISTEN 0      4096            [::]:111           [::]:*         
tcp   LISTEN 0      100             [::]:25            [::]:*         
tcp   LISTEN 0      100             [::]:26            [::]:*         
tcp   LISTEN 0      128             [::]:22            [::]:*         
tcp   LISTEN 0      4096               *:8006             *:*

Here is the specific output of sudo lsof -i -P -n | grep LISTEN | grep :111
Code:
systemd       1     root   36u  IPv4  18453      0t0  TCP *:111 (LISTEN)
systemd       1     root   38u  IPv6    228      0t0  TCP *:111 (LISTEN)
rpcbind     509     _rpc    4u  IPv4  18453      0t0  TCP *:111 (LISTEN)
rpcbind     509     _rpc    6u  IPv6    228      0t0  TCP *:111 (LISTEN)
 
I wanted to surface this old thread. I noticed in a review of the documentation compared to the reality on the PMG server.

Here are the firewall settings from the documentation:
https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#firewall_settings
The settings describe which ports need to be for PMG to work (see also the 'from', 'to' lines)

the only thing that might warrant mentioning is explicitly stating that ssh (tcp/22) from an admin-workstation might be a good idea.

else, apart from 111, all other ports with public listeners are shown there as well.

regarding port 111 - it should work to just remove `rpcbind, nfs-common` if you don't need it
We might consider doing so in a future version, but since it's expected to deploy PMG behind a firewall (or configure iptables/nft on it) it's not really high priority

I hope this explains it!
 
Understood. I am using PMG in a VM on PVE, so I noticed that there is a setting in PVE at:
Datacenter > {node} > {vm} > Firewall

I think I will take a look at enabling and configuring that to match the needs for PMG in the documentation.

Is there a quickstart that I can look at for configuring that PVE feature correctly for PMG? Also, am I correct in thinking that this is an appropriate firewall to deploy PMG behind?
 
Also, am I correct in thinking that this is an appropriate firewall to deploy PMG behind?
should work fine you can use nmap to test that it works as expected (from an outside workstation ;) - https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#nmap

Is there a quickstart that I can look at for configuring that PVE feature correctly for PMG?
No - not yet - potentially a page in the wiki for this might be warranted though - if you like please open an enhancement request (for pmg->Documentation) over at https://bugzilla.proxmox.com
 
Thanks for the help. Two more questions:

1) I was able to disable the service on port 111 using the following commands (slightly modified from an earlier post to only use the systemd commands). You mentioned "just remove `rpcbind, nfs-common` if you don't need it". You mean the packages, correct? I ran apt purge rpcbind and this zapped both packages.
Bash:
systemctl stop rpcbind
systemctl disable rpcbind

2) I'd be happy to write a tutorial for configuring PVE firewall for PMG. Should I post a draft set of changes as a tutorial thread here on the forums for editing and feedback or just put it all on Bugzilla, or something else? I may get some aspect of it incorrect on the first try.
 
  • Like
Reactions: Stoiko Ivanov
By disabling the rpcbind ... wasn't it required for the nfs hardrive mapping ?
And if turn off, was it just to auto discover .. as to have an nfs for datastore.. if it's set in manuel.. will it be ok or it will just not be mounted when pve boot ?

/etc/pve/storage.cfg
nfs: nfs
export /sda3/extradrive
path /mnt/pve/nfs
server 192.22.45.5
options vers=4.1
content images, dump
nodes pve-test
 
Thanks for the write up, i will try out later today.. Also, not sure, but for a spice connection that do connect via a key, was it direct straight or it need a firewall rule as well for that ?
 
I have no idea about spice. I don't see why someone would want to use spice in conjunction with a linux console without a GUI. The GUI control is through port 8006 for PMG.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!