Search results for query: hardening

Hello, Am I wrong to define a custom x86-64-v2-AES like that? in /etc/pve/virtual-guest/cpu-models.conf: cpu-model: my-x86-64-v2-AES flags +aes;+popcnt;+pni;+sse4.1;+sse4.2;+ssse3;+md-clear;+pcid;+spec-ctrl;+ssbd;+pdpe1gb reported-model qemu64 hidden 0 Goal is to...

Hi y’all, I’ve released a Proxmox hardening guide (PVE 8 / PBS 3) that extends the CIS Debian 12 benchmark with Proxmox specific tasks. Repo: https://github.com/HomeSecExplorer/Proxmox-Hardening-Guide A few controls are not yet validated and are marked accordingly. If you have a lab and can...

...as it could expose the hypervisor to potential exploits. Is there a roadmap to address these security concerns, perhaps through enhanced hardening or isolation? Ideally, we’d love to see an appliance-based backup solution similar to what’s offered for VMware, or at least the option to...

...joining and authentication - **HA with CTDB**: High availability clustering - **Performance Monitoring**: Real-time metrics - **Security Hardening**: SMB protocol security ### ** Known Limitations** - VM mode requires manual template setup - AD integration needs real domain testing - HA...

...CTDB**: High availability clustering (needs multi-node testing) - **Performance Monitoring**: Real-time metrics collection - **Security Hardening**: SMB protocol security features ## **Key Benefits for Administrators** | **Traditional Method** | **SMB Gateway** | **Administrator Benefit** |...

...with any further configurations. I’ve read some articles recommending a single partition approach, such as this one: https://dustri.org/b/hardening-proxmox-against-physical-attacks.html. Additionally, I’ve come across many resources that suggest using full disk encryption combined with ZFS...

...admin users that can use sudo? Is this all done manually? Maybe add TOTP to local admin users, too Restrict SSH even more, e.g. via this hardening guide. SSH only from management lan via SSH config or via Firewall? This is not very clear in the document. SIEM is good, but AFAIK there is no...

A real quick question guys. I have a few containers exposed and I want to be able to protect them as best as I can. At the gateway is NPM and then LXC and vm's. So is hardening the Proxmox firewall sufficient or is it recommended to have something between the NPM and the containers?

Hello, I need boot order has working in mode EFI for a mode deployment OS with automatication by WDS full . For post-installation, i was requiered to switch boot order Net by Disk. Required Fix please.

...v4 and add repack options. * d/copyright: Convert to machine-readable format, adding missing info. Closes: #1024602. * Enable all hardening flags (Christian Göttsche). Closes: #1021082. * Fix build on musl (Helmut Grohne). Closes: #1023053. -- Matthias Klose <doko@debian.org>...

...without quiet. System hangs at loading initial ramdisk image, eventually continuing the boot process. So far three servers with the same configuration have this issue. I'm going to try a 4th DL360, but it is not in the same cluster and is configured differently with no extra hardening applied.

I know, but even if you have an EFI disk present which doesn't have secureboot enabled, the PXE option is still gone.

that will disable secureboot, which is the precondition for a lot of those hardening measures.

I can also confirm that you'll get the PXE option back without having an RNG device if there's no EFI disk present at all. Just remove your EFI disk and the option will be back, this makes the so called "hardening" measure even more nonsense to me.

...and here I thought it was just me. ;) Me too! (I've been running PVE for almost two weeks, haven't a clue what VirIO RNG even is yet.) I have no idea what that means, but thank you for the explanation!

I've just created a new VM, and the VirtIO RNG is not automatically added. Would it be better to add it automatically when a new VM is created? I think some people will be surprised that their VMs can no longer PXE boot :(

because EDKII implemented a security hardening measure that means network booting requires a source of entropy, if none is found network booting is disabled.

I love you man !!! This solved the issue I've been fighting against for the past 2 days....

I would also be interessted in the results of this CIS hardening. As you've already said ... why would adding another insecure ring of encryption help in this case? Having the encrypted data AND the key to decrypt it on the same machine does not make the system more secure. Can you try to...

I'm currently hardening my environment, and my current task is SSH. Looking at my single VE node, I see that SSH is enabled. After a quick search, it seems SSH may be required for VE operations. I use only the web interface, I never SSH into VE. VE is not in a cluster, although that could change...