security

Dear colleagues, We have been using different virtualization solutions for over a decade. We have used XEN (the open-source project) on Debian since 2018. It is time to move to KVM, and we are considering switching to PVE, too. We have built much automation over the years, especially with...

Hello, I recently configured Ceph supervision with Zabbix. to make the superversion working, i applied the following permissions on each mgr: ceph auth caps $mgr mds 'allow *' mon 'allow * 'osd 'allow *' However, I'm concerned about the excessive permissions. Should I be worried about the...

Hi I've googled around a bit on how to get a fully encrypted system with 4 disks but haven't come up with anything, what would you have done? I want it so that the system decrypts itself every time the server boots using a file on a USB, it would be great if you only need to have the stick...

HI all, proxmox has been pulled up on our internal pen test for not having security headers set on the web interface. making the application vulnerable to clickjacking. as such what file needs adjusting to add and set X-Frame-Options and Content-Security-Policy response headers.

hi I plan to install some internet facing services on LXC, and I 'm reviewing the security. The scenario is the worst case: the attacker has RCE with root privileges on the LXC. will he be contained there? The LXC is of course unprivileged. I'm not considering any 0days of the kernel/OS...

Hello, Not really a proxmox issue and maybe v7 only. I have a Debian/Proxmox setup on which I have debsecan making daily report of packages that are vulnerable/fixed/can be patched. Example partial output but those are patched, just that the patchset ended with proxmox (+pmx) and not debian...

Currently, the lxc templates are downloaded from http://download.proxmox.com, which is also used as the domain for the Proxmox Debian repository. It was already reported that the domain has an invalid SSL certificate, which the Proxmox Staff pointed to not be a big concern as the Debian packages...

I am trying to restrict a group of users to specific resources on a specific host in our cluster. I have used a resource pool to limit VM and storage access and other permissions to restrict network access. This seems to work well except that they can create VMs on other hosts in the cluster...

In out security scan of Backup Server 3.2-3 we got back that there is an issue on port 8007. It detect CVE-2002-20001. The vulnerability is based on the following retrieved information from 8007/TCP: Vulnerable cipher suites with DhKeyExchange algorithms supported by the server...

Installed proxmox 8.x on a mini pc with 8 physical nics for home use. Created a VM and installed OPNSense. Configured vmbrs so LAN, WIFI, Streaming devices, IOT devices are on a seperate network. Created a rule in proxmox firewall for 8006, 22 so only a specific pc can connect to the...

Hello, been using proxmox for about a year now and I am trying to improve the security of my cluster. Treating all traffic as a problem until proven otherwise. the Block IPv4 link-local (1000000102) rule on my PFsense firewall keeps blocking traffic from my proxmox VMs coming out of the cluster...

Hallo zusammen, ich plane aktuell eine Malware Analysis Plattform aufzubauen. Diese soll in insgesamt 2 VMs auf meinem Produktiven Proxmox Hypervisor laufen. (Ja ich weiß nicht ideal - auf einer kleinen Umgebung zuhause gehts leider nicht anders) Die 2 Maschinen sollen untereinander...

As a general thought, I'm wondering if an official Proxmox Hardening wiki page would be useful? Maybe placed here or similar? https://pve.proxmox.com/wiki/Hardening Asking because hardening a server (or cluster thereof) isn't rocket science, but seems to be under documented apart from various...

I'm currently working out the process of hardening a two node Proxmox cluster for internet facing deployment. As part of that I'm moving all ports (other than ssh) to internal network interfaces that aren't publicly accessible. ssh will have it's own security configuration, not covered here...

Hi, today I looked through /root/.ssh/authorized_keys and there were 3 keys: 1) ssh-rsa from root@pve 2) ssh-rsa from my desktop (from where I usually manage proxmox) 3) ssh-ed25519 from u0_a129@localhost Now, I recognize the 2nd key, but what about the 1st and 3rd keys? I read somewhere that...

Hello everyone, I'm trying to learn about proper security procedure with proxmox. On my current server : root@server:~# hostnamectl Operating System: Debian GNU/Linux 12 (bookworm) Kernel: Linux 6.2.16-8-pve Architecture: x86-64 It seem's 6.2.16 had gone EOL one year...

Scenario: - One machine with proxmox - Second machine with PBS VMs on proxmox machine are DELETED, all the VM data is wiped. After that, the proxmox machine is physically compromised. What to expect: no data leak Whan actually happens: - PBS encryption key is available in /etc/pve on the...

in one of our (lazy infrequent) security scans we stumbled upon a running rpcbind. it seems that it was installed around 8.0.4. trying to remove it tells us that pve depends on it: The following packages will be REMOVED: libpve-guest-common-perl* libpve-storage-perl* nfs-common* proxmox-ve*...

The pvecm qdevice setup requires an ssh connection to the QD, which is not there for "casting votes". As QDs are meant to be run externally, why is this not the other (natural) way around, i.e. generating script for one to execute on the QD, possibly provide the feature (as a perk) by calling...

Dear all, I am trying to build a home server where i want to run few services, such as Nextcloud, as LXC contianers. I am relatively new to networking and before posting here i have read several pieces of documentation. Nevertheless, i still have doubts regarding the best setup for my use case...