In an absolute buying frenzy I rented a new server for my web services, gaming servers and so on. It was immediately clear that I again throw a proxmox hypervisor on it and since the new server is so potent, I combine all services on it later. :-) Since the server is hosted by a big german provider this time, the scanner of the BSI of course runs over this IP address range and reminded me directly that I should do some server hardening.
RPC, RPCBIND (port 111)
rpc is (rightly) considered an insecure protocol and of course should not be available to the whole world. But in the default installation of proxmox the service is active and running by default. Now you have a few options
- disable the service completely (because it is more or less only necessary for NFS connections)
- prevent access via proxmox firewall
- prevent access via the network firewall, behind which the proxmox server hangs.
In my setup the complete disabling is the best choice, so:
1
systemctl disable --now rpcbind.service rpcbind.socket