Warning about public portmapper on PVE host

JonathanB19

JonathanB19

Member
Proxmox Subscriber
Dec 15, 2015
34
3
8
50
London, England
Sorry if this has been mentioned before but I can't initially find anything. Just got a warning from my ISP about this:

The folks at shadowserver security group are reporting open portmapper hosts to
us, these need to get fixed as they can be used in amplification denial of
service attacks.

There's an open portmapper service exposed to the internet on:
185.xx.xx.xx

That's our PVE 3.4 host - what's the recommended course of action? I've used TCP wrappers to only allow localhost for now.
 
That is probably the RPC portmapper which runs on port 111, which is used for NFS, you could add a Firewall rule which blocks all access from the outside on port 111.

Ideally everything gets blocked by default and only those services/ports you need are enabled (when setting up such rules please be careful that you do not block ssh/yourself out).
 
I block all ports from the Internet to my Proxmox servers IP, with the exception rules for the workstations I do administration from. I only remove the block for software updates, then put it back immediately after. ntp is done to an internal server.
 
Yes, AFAIK you could do that but it's not really recommended, the clean way would be adding a firewall rule in PVE on the Datacenter level.

The procedure would be:
goto Datacenter -> Firewall, here in the Option tab at the bottom enable the firewall and change the input policy to accept (makes it easier at first if you only want to block 111 but nothing else).
Then goto the Rules Tab and add a new Rule with:
Direction: in, Action: drop, protocol: tcp and dest port 111 and enable it.

After that you should be good.

You may do a portscan at your IP to see if it worked:
Code: 
nmap <ip>

In general Erk is right, input policy should be Drop and only rules should be added for those ports or services you need.
Note that on newer PVE versions we enable 22 and 8006 always if not explicit disabled so user do not easy lock them self out.
 
  • Like
Reactions: rcd
You must log in or register to reply here.
Top Bottom