Search results for query: hardening

for hardening, you can do something like DisableForwarding yes Match User root Address <<10.0.10.0/24,10.0.20.0/24>> DisableForwarding no AllowTcpForwarding yes X11Forwarding no AllowAgentForwarding no PermitTunnel no (replace network address by your proxmox management subnet)

Same here :) EDIT: Also, when you are using veeam, backup fails with general error Failed to connect the NBD server to the hypervisor host So let's it write here, so others can find it, since I did not google it anywhere, this can be root cause.

...sectors, RHEL is the baseline. These organizations rely on SELinux mandatory access controls, FIPS 140-3 certification, and kernel-level hardening that is natively integrated into the EL (Enterprise Linux) ecosystem. Proxmox’s current Debian-only stance creates a "silo" that prevents seamless...

...Performance Extensions (32 GPRs instead of 16). Future Nova Lake / Diamond Rapids VMs will run significantly faster. Phoronix IBPB-On-Entry Hardening for AMD SEV-SNP Automatic indirect branch prediction barrier on every VM entry for confidential guests. Stronger protection on Zen 5 EPYC...

Hi everyone, I’m currently hardening a Proxmox VE environment for enterprise use, but I’m running into significant issues when enabling pam_faillock and pam_pwquality. The Issues: Authentication Bypass: After configuring faillock, the Proxmox Web GUI login behavior becomes erratic, sometimes...

Thx for the hint. AllowTcpForwarding was set to no by a hardening script.

...on top of Debian that yields secure boot issues. Pretty much, if you perform a Debian install with custom partitioning with a nod to hardening compliance on partitions then install PBS, it breaks unless you revert to the Debian shim/grub. PBS doesnt (didnt?) force a custom kernel install but...

...of snapshots, especially the timely pruning of snapshots (not just the timely creation and replication of the latest snapshots). Also added security hardening and running without ssh configuration files. Details are in the changelog: https://github.com/whoschek/bzfs/blob/main/CHANGELOG.md

...ExecStart=/usr/local/bin/network-failover.sh StandardOutput=journal StandardError=journal SyslogIdentifier=network-failover # Security hardening PrivateTmp=yes NoNewPrivileges=false ProtectSystem=full ProtectHome=yes [Install] WantedBy=multi-user.target...

...Directory stack again. With Proxmox, I’m mainly looking for: a minimal and stable hypervisor layer, independent from Windows patching, hardening and role changes simple snapshot / rollback and bare-metal recovery workflows a clearer separation between infrastructure services (AD / DNS /...

...services not starting after reboot (e.g. Defender) Malfunctions in services relying on COM / DCOM (e.g. Active Image Protector) Security hardening automatically applied by AD DS affecting applications not designed to run on a DC System restore difficulties (drivers / storage) despite valid...

...= 1 net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.default.log_martians = 1 net.ipv4.tcp_rfc1337 = 1 # Kernel hardening kernel.randomize_va_space = 2 kernel.kptr_restrict = 1 fs.suid_dumpable = 0 kernel.core_uses_pid = 1 # Disable IPv6 net.ipv6.conf.all.disable_ipv6 = 1...

Hello, As part of Proxmox Hardening I need to review the below binaries and make sure that SUID or SGID permissions are required. These were listed by some Debian 13 hardening audit script (https://github.com/ovh/debian-cis/tree/master | 6.1.13_find_suid_files.sh & 6.1.14_find_sgid_files.sh)...

@doitright Hey! Just checking in. You mentioned you found my Proxmox hardening guide and planned to work through it. Also, thanks for sharing it in the thread Did you end up implementing it (fully or partially)? If you did, I’d love to hear: - what worked well / what didn’t - anything that...

Hi y’all, I’ve updated my Proxmox hardening guide, it now includes PVE 9 and PBS 4, in addition to PVE 8 and PBS 3. It continues to extend the CIS Debian benchmark with Proxmox specific hardening tasks. Repo: https://github.com/HomeSecExplorer/Proxmox-Hardening-Guide A few controls are not...

Hi all, author of the hardening guide here. Thanks for bringing this up and sorry for seeing this post so late. Quick clarification, my guide is not saying you cannot or should not use the Proxmox ISO. Maybe I have to adjust the wording there more clearly? For most setups, the Proxmox ISO is...

Hello, We recently documented and automated a basic Proxmox VE 9.1 hardening baseline to support audit and compliance discussions. The repository focuses on: - Proxmox VE host-level hardening (management plane) - Minimal and graduated controls influenced by CIS Debian guidance and official...

...-> r:^640 root shadow$" compliance: - cis: "6.1.5" # ------------------------------------------------------------ # SSH HARDENING (PROXMOX-SAFE) # ------------------------------------------------------------ - id: 91020 title: Ensure SSH root login is disabled...

...easy access to other systems. It’s the same principle as using AppArmor, which confines applications to a defined set of resources via policy profiles to limiting what files, capabilities, and system functions they can access. Overall, it’s about hardening both the network and application access.

This is most likely because, as far as I know, Proxmox is not designed for multi-tenancy, and it’s also not really supported in that sense, at least not multi-tenancy as VPS providers like Hetzner, DigitalOcean, or Linode implement it with full self-service portals, strict tenant isolation, etc...