Recent content by egberts

it should be possible to draft a drop-in sshd_config (into the sshd_config.d subdirectory in sshd split-config mode) just for the for this PVE cluster usage (and also for some web-based retrieved by-ssh status APIs) . this is what I am doing.

Doing a little peek at sshd by doing a show process command: /usr/sbin/sshd -D -oCiphers=aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc...

Given that OpenSSH is dropping RSA from its default lineup of KeX algorithms, I proceeded to do the same for Proxmox here. Unfortunately, the removal of the RSA-related `ssh_host_rsa_key`/`ssh_host_rsa_key.pub` file resulted in some sporadic web-based popup "Error" message: ``` can't open...

currently my problem. especially if i pulled the Ethernet cable from my switch. but restart of Debian 11 VM init.d/networking does that also for me. im troubleshooting this. but i do do think Proxmox bridge (original post is about Ethernet link) does need to somehow keep its IP address...

Hetzner support should have sent a PCAP file of the offending packets. would go a lot quicker toward this problem resolution. My advice would be to start a ‘tcpdump -i enp5s0 -w /tmp/capture.pcap‘ and let it run until the Hetzner support complains then peruse the PCAP with Wireshark for...

Wonderful. Quick, make a Proxmox FAQ outta this, please!

I please send GPG public key for more details

that’s an interesting business model, that is until a persistent script appears that cannot be verified or removed by either Debian nor Proxmox APT protection. Thank you for the clarification.

the installer-loader crafted by Proxmox and placed in Proxmox ISO could easily be that unchecksumed/unverifiable executable and slipped into the HTTP data stream quite easily using most Man-in-the-Middle that are available in Github/Gitlab. Of course, same MitM’d ISO can also match the...

Trying to set the Debian apt sources.list using https URI instead of http in compliance with many computer security standards. Am getting following error: ``` $apt update … Err:8 https://download.proxmox.com/debian/pve buster Release Certificate verification failed: The certificate is NOT...

Don’t run the ethtool on vmbrX interfaces if the real physical (enp8s0) is the one that is breaking the link. Use `ethtool enp8s0` a couple more things to note on link breakage at Ethernet/802.11 data link: 1. Longer or bad cable (inspect entire length) 2. bad connector 3. router/switch is...

First thing first, you cannot put an IP on a network device that lays total claim on it by another network device. That said, you cannot assign an IP on a physical Ethernet device if bonding or bridging device lays claim on it. You can only place an IP address on the bridge or bonding...

I use strictly all nftables/nft settings (no pve-firewall). Custom port-scanning detector, custom portknockers, custom DDoS mitigation. No D-Bus. snort, bro, suricata on tap. However, in interest of seeing where this pve-firewall is going, my .nft firewall text configuration files also uses...

This is a POLL thread in an attempt on covering all the models of firewall and Proxmox to help us better guage the future direction which we all collectively think that Proxmox should be supporting. Assumption must be made here for brevity of your reply: you make uses of Debian 10.6 and Proxmox...