rpcbind in default proxmox installation can be abused for DDoS-Reflection-attacks

[RMM]

Hi

I've just made a new proxmox installation a few days ago on a server in the internet.
Today I've got a message from the Server provider that the BSI (German Federal Office for information security) contacted them, that the server can be abused for DDoS Reflection attacks.
I've just deactivated the Service (since unfortunately it's impossible to deinstall it).

systemctl disable rpcbind

So I guess the problem should be solved for me.

But I think it's pretty unfortunate that the default installation of proxmox exposes that service to the internet.

 

[wolfgang]

Hi,

yes every rcpbind can be abused.
This is why if the host is public you have to use a firewall and configure it correct.
Proxmox has a build in firewall what will do this.

 

[RMM]

Personalyl I just think it's bad practice activating vulnerable services in a default installation. There where enough news in the last few years, about services which in it's default configuration are unsecured and were actively abused.
This one even doesn't really affect the functionality of the server, so I guess there are enough people around which never notice it, and therefore "provide" services for DDos attacks.
If you think it's really necessary to activate rpcbind in the default installation, at least make it only listening to localhost, or provide a default firewall rule, or or or...

edit:
I myself, finished the installation in the late evening, and really didn't expect rcpbind or any other services beeing activated besides pveproxy, and looked at the installation only 2 days later again...