Search results for query: hardening

Thank you for the suggestion. I did not think of it. PBS would also be a much needed solution for backing up the cluster. I could order a second public IP to assign directly to my *sense VM. Now I just need to think about hardening security for hypervisor itself.

Hello Proxmox Community & Team, I am working through making a hardened baseline for my teams Proxmox deployment, loosely following CIS Lvl1/2 and DISA STIG requirements for Linux operating systems. I have made good progress, and have built out a hardened PVE cluster successfully that has...

Sure, I am just brainstorming. The difference between a compact FAQ and a broader knowledge base with snippets about all kinds of topics may be defined hard or soft. Yes. Again and again... Huh? I really do believe staff is appreciating your - and of several others of course - contributions...

Well I don't really mean something like hardening since it's difficult to give generic advice for stuff which lies in the end in the responsibility of the administrator or software architect. To quote myself: The reason I started this thread, that today I saw two or three threads on the same...

...are absolutely right. While there is the very fine reference documentation and the official wiki we just have no user-contributable “FAQ / Hardening / Best practice” documentation. The "natural" place would be the wiki under pve|pmg|pbs.proxmox.com, but probably that should really be left for...

Hi All, I have a question about pve vm migration. As my company have to take security hardening control on the PVE host. The PermitRootLogin setting in file '/etc/ssh/sshd_config' must set to 'no'. By defafult, when pve doing vm migration, the root account will ssh to the target pve host then...

I found the solution! The issue was caused by a hardening setting I had applied, which modified the umask in /etc/bash.bashrc to 027 instead of the default 022. This stricter umask was setting more restrictive permissions during certain operations. After reverting the umask back to 022, the...

Server still runs, but we are on only one server where Hardening is done.... long term prototype....

@itNGO , i also went for hardening with CIS Benchmark Debian 11/12, also Benchmarked with Wazuh (sad that there is only the .yaml for the Family Linux). What is your experience? Did you get errors or problems ? I do have about ~75% Score (no FW Settings right now, some are also false...

...know or don't care about this and thus use still the less secure defaults. A sysadmin however can use systemd overrides, for additional hardening but he will have do do thorough testing to make sure that everything still works. Coming back to proxmox: Propably proxmox services could also be...

This is NOT off-topic in the sense that people were asked to work for free (not by you, but in this thread) and then we got into the logic of supporting something else that supposedly provides other guarantees, but enterprise not switching over because features are missing. I simply quoted...

...with the part that hardened our TFA implementation became: https://bugzilla.proxmox.com/show_bug.cgi?id=4584 which is fixed and updated. The second one is a mere enhancement with more question open and a mediocre ROI, especially after the hardening was implemented, so it was put on the back...

No: https://forum.proxmox.com/threads/should-an-official-proxmox-hardening-wiki-page-be-created.148732

Yes my understanding on security hardening is very limited, otherwise I would not be asking these questions ;). But yess you are right you need 3 nodes ideally. However, I would like a system that when the servers at my house are down for reason x (e.g fire, power outage, hardware failure)...

What kind of connection and routing will that have? But we may give a piece of advice on this forum to have the OP e.g. run this entirely within VPN only accessed segment. :) So that this is not really a problem. I am not sure what you are attempting to achieve still. Maybe after you...

True. But the general security hardening of the average Joe's home server doesn't come anywhere near to the enterprise solutions. I must be honest here, looking at the OP's post - I'm not sure how much he knows about security hardening at all. So just setup a PBS instance on both servers, & use...

Hi all, I'm experiencing this same issue. (still new at Hypervisors so sorry if I misspeak) Running on an unprivileged container, tried with both nesting on and off, opening the console is blank until you wait like a few minutes, then the login message comes up and works perfectly fine. I've...

...systemd-logind.service files between Deb12 and Ubuntu 24.4. In both ProtectControlGroup=yes is set by default - one distribution is working and the other not. So both are applying the hardening with different results. The test containers are both running as unprivileged, unnested for isolation.

What about privileged containers though?

As a hardening measure, systemd tries to setup namespaces. In the instance of the Debian LXC template, it seems that setting ProtectControlGroups= to no in /lib/systemd/system/systemd-logind.service lets the systemd-logind.service start successfully. Another way to work around this is to enable...