Search results for query: hardening

  1. LnxBil

    Proxmox server hardening document for compliance

    ...admin users that can use sudo? Is this all done manually? Maybe add TOTP to local admin users, too Restrict SSH even more, e.g. via this hardening guide. SSH only from management lan via SSH config or via Firewall? This is not very clear in the document. SIEM is good, but AFAIK there is no...
  2. H

    Is hardening enough?

    A real quick question guys. I have a few containers exposed and I want to be able to protect them as best as I can. At the gateway is NPM and then LXC and vm's. So is hardening the Proxmox firewall sufficient or is it recommended to have something between the NPM and the containers?
  3. D

    UEFI PXE Boot Issues After Upgrading from Proxmox VE 8.3.4 to 8.3.5

    Hello, I need boot order has working in mode EFI for a mode deployment OS with automatication by WDS full . For post-installation, i was requiered to switch boot order Net by Disk. Required Fix please.
  4. P

    [SOLVED] Question - Update from debian, an old bug ?

    ...v4 and add repack options. * d/copyright: Convert to machine-readable format, adding missing info. Closes: #1024602. * Enable all hardening flags (Christian Göttsche). Closes: #1021082. * Fix build on musl (Helmut Grohne). Closes: #1023053. -- Matthias Klose <doko@debian.org>...
  5. H

    Upgrade from 8.3 to 8.4 server no longer boots

    ...without quiet. System hangs at loading initial ramdisk image, eventually continuing the boot process. So far three servers with the same configuration have this issue. I'm going to try a 4th DL360, but it is not in the same cluster and is configured differently with no extra hardening applied.
  6. D

    UEFI PXE Boot Issues After Upgrading from Proxmox VE 8.3.4 to 8.3.5

    I know, but even if you have an EFI disk present which doesn't have secureboot enabled, the PXE option is still gone.
  7. fabian

    UEFI PXE Boot Issues After Upgrading from Proxmox VE 8.3.4 to 8.3.5

    that will disable secureboot, which is the precondition for a lot of those hardening measures.
  8. D

    UEFI PXE Boot Issues After Upgrading from Proxmox VE 8.3.4 to 8.3.5

    I can also confirm that you'll get the PXE option back without having an RNG device if there's no EFI disk present at all. Just remove your EFI disk and the option will be back, this makes the so called "hardening" measure even more nonsense to me.
  9. B

    UEFI PXE Boot Issues After Upgrading from Proxmox VE 8.3.4 to 8.3.5

    ...and here I thought it was just me. ;) Me too! (I've been running PVE for almost two weeks, haven't a clue what VirIO RNG even is yet.) I have no idea what that means, but thank you for the explanation!
  10. T

    UEFI PXE Boot Issues After Upgrading from Proxmox VE 8.3.4 to 8.3.5

    I've just created a new VM, and the VirtIO RNG is not automatically added. Would it be better to add it automatically when a new VM is created? I think some people will be surprised that their VMs can no longer PXE boot :(
  11. fabian

    UEFI PXE Boot Issues After Upgrading from Proxmox VE 8.3.4 to 8.3.5

    because EDKII implemented a security hardening measure that means network booting requires a source of entropy, if none is found network booting is disabled.
  12. I

    [SOLVED] Proxmox and OPNsense - Network speed issue

    I love you man !!! This solved the issue I've been fighting against for the past 2 days....
  13. LnxBil

    Working on hardening Proxmox hosts - looking for advice regarding some findings

    I would also be interessted in the results of this CIS hardening. As you've already said ... why would adding another insecure ring of encryption help in this case? Having the encrypted data AND the key to decrypt it on the same machine does not make the system more secure. Can you try to...
  14. T

    Guidance on hardening/disabling SSH

    I'm currently hardening my environment, and my current task is SSH. Looking at my single VE node, I see that SSH is enabled. After a quick search, it seems SSH may be required for VE operations. I use only the web interface, I never SSH into VE. VE is not in a cluster, although that could change...
  15. fba

    pveproxy - is disabling tls or moving its port possible?

    ...put it in direct connection to the internet without additional protection, you will need to reconfigure it, to gain a resonable level of security. If you want some common practice ideas, look here...
  16. J

    Ideen für den Anfang mit Proxmox

    ...kann man Dienste übrigens noch weiter verriegeln, auch wenn die nicht als Container laufen: https://github.com/alegrey91/systemd-service-hardening https://www.linux-magazin.de/ausgaben/2021/11/systemd-analyze/ Aber bevor man Dienste absichert, sollte man erstmal zusehen, dass nur der Kram von...
  17. J

    Ideen für den Anfang mit Proxmox

    ...das sieht (gerade das erste Mal gesehen) sehr ausführlich (erschöpfend ;) ) aus: https://trimstray.github.io/the-practical-linux-hardening-guide/ (1) AppArmor ist vom Handling einfacher, SELinux unter Redhat Systemen ausgebauter, man kann nur eines der beiden verwenden, aber auch hin- und...
  18. L

    Question about LXC and security

    ...for example, that from the LXC lsblk shows me all PVE disks or that netdata shows all IO rates and much more. Is there any additional hardening steps to safeguard the PVE host? what are the risks for the host and the other VMs/LXC Is VM is the better/only way to go? Thoughts and prayers...
  19. D

    Proxmox Built in Secret Manager

    ...deploying on and then applies these steps to the VM during the build. For the most part, these configurations include basic tasks like hardening the VM and installing Docker. However, I’ve encountered scenarios where I need to include secrets in the configuration for more complex...
  20. J

    Small Cloud Cluster design and strategy

    You would still need a solution for a offsite backup in case your datacenter ends up in fire like the OVH one in Straßburg. PBS allows to sync between PBS so that would be the road I would go ( e.g. via a small Server in your office)