Search results for query: hardening

...to perform compliance scans. For Proxmox there is no official benchmark available. We have to basically build a benchmark ourselves, probably based on the Debian hardening guide and other online information about Proxmox specifics. This should be something we expect from the vendor, Proxmox.

...problem I helped to solve. This is also annoying for people who also stumble over this thread and might be interested whether their problem is similiar to yours. So: Which goal do you want to achieve by hardening? Ticking a box in an audit? Protection against a certain threat (if yes, which...

...to satisfy these specific benchmarks. Assuming that the Proxmox ISO is unusable in a production environment soley based on some online hardening guide you stumbled over is, in my opinion, a bit of a stretch. As Johannes already said, blindly ticking boxes whose implications you don’t fully...

It was discussed in the past, did you already search the forums for it? https://forum.proxmox.com/search/8806046/?q=hardening&o=date Following threads I would consider quite helpful: https://forum.proxmox.com/threads/security-recommendations-for-going-prod-with-pve.172987/...

Hello, I'm looking into hardening Proxmox VE. Unfortunately, there are no official baselines yet for Proxmox, so I'm using the information I can find online and in the Proxmox communities. I came across the following hardening guide...

...of the patch got applied with qemu-server = 9.1.2 which is currently available in the pve-test repository, so it would be great if you could test with that instead! While the early version of the patch should also work, the applied one is a slightly nicer approach and also adds a bit of...

...practically require a SIEM to detect malicious activity, because it’s just a user (eg apache) that runs code within its permitted bounds. SELinux and other hardening tools simply make it better defined what the boundaries for those users are, something that is likely sorely missing from Windows.

...and it should be treated as such. We harden all of our servers, and put security software on all of them, AV/EDR/XDR is not in lieu of hardening it's as well as hardening. It's seen as defence in depth, admin accounts do get compromised and perhaps an AV/EDR agent will pickup malicious...

...list but his point still stands. Beside that before one installs a security software (no matter which) it's more important to do regular hardening of the Linux hosts like reconfiguring ssh to allow only public key or certificate authentication or other best practices of running Linux servers...

I am not convinced of the supreme benefit of adding an antivirus to a hypervisor; it is really more a question of ticking a box, yes. It can be F-Secure, ClamAV, or another one. I haven't seen any official statement from Proxmox on this subject, that's why I'm asking here - and I don't have...

...you to believe you need antivirus on the host are probably the much bigger issue. If by “antivirus” you actually mean general security hardening or third-party security tools, they'd likely need to know which specific software you’re referring to. In that case, it would probably be best to...

Hi, Looks like some monitor commands are too powerful to expose via API tokens and it was intentional security hardening. But you can use supported API calls instead of qom-set, many device changes (CPU, memory, disk, network) now have official API endpoints. For example, virtio-mem resizing...

...directly (or indirectly) on Samba being present, even when CIFS/SMB storage is not configured or used. My Concern: From a security and hardening standpoint, it’s generally desirable to reduce the installed footprint and eliminate unnecessary network-exposed components. While Samba itself...

...1 node but not on the other (it does ask for OTP but is not accepted) Now with allowing password login and allowing root both examples work with no problem. Could someone shine some light on this? Maybe suggest some other hardening? (Firewall is active and only allowing a few IPs) Many...

...zu beschränken. Das ist das was ich da als absolute Baseline betrachten würde. Man kann darüber hinaus natürlich noch weiteres SSH-Hardening + Zugriffe via VPNs einrichten. (Wireguard wäre da meine persönliche Empfehlung) Falls die Workload ins Internet exposed werden soll, würde es sich...

That probably depends on your customers more than it does you. Having some exposure to the industry, I can tell you most studios will effectively give you their policies when you'll submit a vendor security questionnaire. "Proxmox" isnt really relevent in this conversation. Lynis produces a...

...also for the helpful links, we will go through each of them and check everything. Additionally I would like to add that we also found this hardening guide, which seems to be helpful (and may help other readers here later on, too). Be aware we still not verified it completely but we will work...

...way around, I prefer your approach :) I remember some earlier discussions on this e.g. https://forum.proxmox.com/threads/proxmox-server-hardening-document-for-compliance.146961 or https://forum.proxmox.com/threads/proxmox-security-hardening.136924/ The search function will also yield some...

...deployment of our Proxmox hypervisor, as we have experience with PVE, but not directly in production. We would like to know if additional hardening of the PVE hypervisor is necessary. From the outset, we opted for an immutable infrastructure and place value on quality and “doing it right and...

This worked, Thanks Man