Securing proxmox cluster on public ip addresses

jinjer

Renowned Member
Oct 4, 2010
204
7
83
I would like to secure a proxmox cluster where the nodes have public IP addresses and there is no separate firewall in front.What would be the best way to proceed?jinjer
 
I would like to secure a proxmox cluster where the nodes have public IP addresses and there is no separate firewall in front.What would be the best way to proceed?jinjer

Hi,
I would say strong passwords - like described here: http://xkcd.com/936/

ssh perhaps via key only and fail2ban to avoid brute force.

And of course update all security fixes in short times...


Udo

BTW. an firewall don't protect against an weak password - the question is, what protect an firewall on an halfway secure system, where ports must be open for the outside?! I would say - not much (or less).
 
Last edited:
There's a lot of ports running on proxmox, by default

- The cman
- ntpd
- gluster (in my case, and that cannot be protected easily)
- the proxy on port 8006

I mean... there is a handful for any hacker to play with.

On my current installation, I keep the cluster nodes on a private network behind a firewall. However, that is not optimal for customers that need to login in a VPN before being allowed access.

Also, all VM and CT are on their own private network. They're behind a firewall too, but as you guess this model is quickly getting expensive and difficult to manage.

I would like to secure the proxmox node properly on a public network and perhaps run the cluster on a dedicated vlan on private addresses.
Then I'd keep the VM and CT with public addresses directly connected to the internet.

What I'm looking for in reality seems to be a separation between the nodes and their management and the CT/VM network (like openstack and similar projects).

Is this possible ?
 
you need a private network just for cluster communication or else you are more than likely going to have an unstable cluster. Unicast/multicast is very sensitive and really need dedicated nics. You can of course have other interfaces public, but none of the actual clustering communication should be happening through public facing networks.
 
I would like to secure a proxmox cluster where the nodes have public IP addresses and there is no separate firewall in front.What would be the best way to proceed?jinjer

Simply configure iptables on cluster nodes. Allow only ip address and ports that you need for your customers and everything else drop. Of course, you will allow full communications between cluster nodes. Outside world will see only allowed services.

I got proxmox box on public ip for years and only working thing from outside is ssh on non-standart port allowed only from specific ip. Everything else like mail services are redirected inside the virtuals.
 
Simply configure iptables on cluster nodes. Allow only ip address and ports that you need for your customers and everything else drop. Of course, you will allow full communications between cluster nodes. Outside world will see only allowed services.

I got proxmox box on public ip for years and only working thing from outside is ssh on non-standart port allowed only from specific ip. Everything else like mail services are redirected inside the virtuals.
This is a very good setup. On top of it, the hosting provider must have a good DDOS protection, otherwise, despite the firewall mitigation rules, a flood could block the public network, the cluster nodes fail to communicate and trigger false positive reboots.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!