Post-Install: Security
Settings post-install Proxmox
What this category covers
Post-install security is limited to host hardening that is safe to apply unattended — things that disable services almost nobody needs and that can be undone from the Uninstall menu. Active security tooling (Fail2Ban for intrusion prevention, Lynis for auditing) lives under the dedicated Security entry on ProxMenux's main menu, not here in post-install.
Disable portmapper / rpcbind
rpcbind (formerly portmap) is a service that maps RPC program numbers to network ports. It is a dependency for NFS and some legacy RPC-based tools. On a typical Proxmox host that is not acting as an NFS server, nothing uses it — and leaving it enabled keeps port 111/tcp listening on every interface.
Why it's worth disabling
- Reduces the host attack surface — one less listening service to worry about.
- Historically abused as a reflection/amplification vector in DDoS attacks. Disabling
rpcbindremoves that amplification factor for your host. - Removes the noise it generates in logs and
netstat/ssoutput, making real activity easier to spot.
Don't disable this if you use NFS
NFS server and NFS client rely on
rpcbind to negotiate the ports used by mountd, statd, lockd, etc. If your Proxmox host either exports NFS shares to other machines or mounts NFS shares from a NAS, do not apply this option. Mounts will fail with mount.nfs: rpc.statd is not running or similar.What ProxMenux runs
# Stop and disable the rpcbind service
systemctl stop rpcbind
systemctl disable rpcbindThe package stays installed (so you or another tool can re-enable it later). The service unit is disabled so the service does not come back on reboot.
Verification
After applying, confirm rpcbind is off and nothing is listening on port 111:
systemctl is-active rpcbind # should report: inactive
systemctl is-enabled rpcbind # should report: disabled
ss -tulpn | grep ':111 ' # should return nothingReversible from the Uninstall menu
This change is tracked. Open Uninstall Optimizations and pick RPC Disable to restore it. Nothing is purged from the system — just re-enable the service and it starts again.
Related
- Security menu — heavier hitters: Fail2Ban (intrusion prevention) and Lynis (audit).
- Lynis — audit the host to find more hardening opportunities.
- Useful System Commands — service status, journalctl, lynis audit reference.
- Customizable Post-Install — back to the parent menu.