Search results for query: hardening

As a general thought, I'm wondering if an official Proxmox Hardening wiki page would be useful? Maybe placed here or similar? https://pve.proxmox.com/wiki/Hardening Asking because hardening a server (or cluster thereof) isn't rocket science, but seems to be under documented apart from various...

...you customize PVE a lot because you want stuff like UPS client, monitoring agent, encryption, SMTP relay server, log collector, security hardening, ... If it is easy to reinstall PVE, you either spend a lot of time initially creating scripts or ansible playbooks to automate all set up. Or you...

hi justinclift. we basically restricted rpc to localhost. we did this via adding /etc/systemd/system/rpcbind.socket.d/override.conf: [Socket] ListenStream= ListenDatagram= ListenStream=127.0.0.1:111 ListenDatagram=127.0.0.1:111 ListenStream=[::1]:111 ListenDatagram=[::1]:111 i cant remember...

@Thomas Jagoditsch How did things go with this? Asking because I'm working out the process for hardening an internet facing 2 node cluster, and rpcbind looks to be bound by default to udp:111 on both of our nodes as well. We've stopped and disabled the service for now (ie: "systemctl disable...

I'm currently working out the process of hardening a two node Proxmox cluster for internet facing deployment. As part of that I'm moving all ports (other than ssh) to internal network interfaces that aren't publicly accessible. ssh will have it's own security configuration, not covered here...

...They won't backup anything you changed via CLI, like limiting ZFS ARC, setting up Postfix/NUT/monitoring agents/log collectors/security hardening/... . Only official you will find is this for backing up/restoring the database that contains the configs of /etc/pve...

...? I'm not here to rant about ZFS, I rather want to understand why it failed so badly, I want to discuss hardening approaches, possible flaws in the ecosystem (better recovery tools?), and collect information about recovery (which is all over the place). So far, I found that * ZFS is very...

...idea to include these reccomendation in a Wiki Page or Community Tutorial or something, like "we take no responsibility, but here is a good hardening baseline config for your servers, use at your own risk or something like that". Would avoid lots of Frustration with people getting MAC Abuse...

...seemed to help. I also added this in order to Harden the System against Attacks (not really Network related though) in /etc/sysctl.d/99-hardening.conf: # eBPF exposes quite large attack surface and must therefore be restricted # These sysctls restrict eBPF to the CAP_BPF capability...

We are currently testing hardening-script from ovh-cloud. https://github.com/ovh/debian-cis Using Level 3 on a PVE-Server and for now it looks like it is still running normal but far more "secured". Would be really nice to have some more guides or a "more" secured default Proxmox-Install...

A big part of hardening on any platform is to change default configurations to something more secure. You are right, they both start fairly secure. Install sudo Create and user non-root users Enforce TOTP (TFA) in the GUI on all accounts Ensure TLS certificates for the GUI Harden ssh (guides...

...couple of VMs in production server on a 3-node cluster using Proxmox and ceph. Now few auditors are requesting for a guideline for hardening the proxmox installations, since we are running the vms in production. We used the iso files of the Proxmox ve and Proxmox backup server to install...

...the installed debian distribution linux_packages: - '{{ os_architecture }}' - '{{ linux_version }}' # list of file paths to remove path_to_files: - '/etc/hostname' - '/etc/hosts' # security software for hardening purposes security_packages: - 'ufw' -...

...in almost 3 years now), but I wanted to be covered in case it does change so I don't lose access to it. What are some best practices for hardening this if I'm exposing some VMs to the Internet? I was planning on using an Alpine Linux VM with Nginx Proxy Manager on it and expose only that to...

The Proxmox VE Cluster uses port 22 (SSH) for data synchronization. In principle, every PVE host in the cluster has equal rights and can connect to every other PVE host in the cluster using SSH. As a result, an attacker who manages to break out of an LXC container or a KVM guest on any PVE host...

Microsoft is using Hyper-V technology for an ever increasing number features in Windows, including security hardening I/O. So you can quickly run with an extra nesting layer without knowing. And naturally it doesn't care about compatibility with other hypervisors than its own: why have anyone...

Hello, I want to configure fail2ban also for the web-gui of PBS. I followed the wiki and it worked well for PVE. I used the systemd-variant. My PBS is installed directly on the PVE hypervisor and whatever I configure, fail2ban is not detecting failed login attempts. Maybe someone else already...

...decision is not to change the solution behavior, most probably, I will end up doing that. But that doesn’t look clean to me; it is a hardening that could be avoided. And will require preparing documentation and procedures to mitigate that one. I want to open a respectful discussion on...

There is a certain amount of irony here as that I am an IT guy not knowing which way I need to go, as I had other jobs in life and mostly in the stupid windows world, the current result of my proxmox setup is definately too overwhelming and thus issues WILL come, and with far not hassle free and...

...# (core) Distributed Ceph storage using Rook disabled: cert-manager # (core) Cloud native certificate management cis-hardening # (core) Apply CIS K8s hardening community # (core) The community addons repository dashboard # (core) The...