security

We're reviewing our Proxmox setup and trying to improve how a few internal applications are accessed from different office locations. One of them is Vertex-HCM, an attendance management system our HR team uses daily, and we're currently deciding whether everything should stay behind a VPN or if...

I am reviewing ransomware protection best practices for a Proxmox VE environment. This may come across as a very broad question, but I would appreciate some pointers on what is considered common practice in this area. Specifically, I would be grateful if you could share any references to...

Hello everyone, I am reviewing log and file integrity monitoring options for Proxmox VE hosts, especially for detecting possible tampering with system logs or important configuration files. We are considering standard file integrity monitoring tools such as AIDE or Tripwire. We understand that...

Hello everyone, We are currently reviewing Proxmox VE from an operational/security perspective, and would like to confirm the current behavior of Web UI sessions. Specifically, does Proxmox VE provide any built-in functionality to automatically terminate or log out a Web UI session after a...

See: https://github.com/V4bel/dirtyfrag/tree/master (patch is included) Proof: https://github.com/V4bel/dirtyfrag/issues/11#issue-4402742566 TLDR: Anyone with ssh access to your proxmox servers can become root I have reported this to security@proxmox.com but since this is in the wild now...

Proxmox + Tailscale: convenient remote access, but what about blast radius? Tailscale is a very convenient way to reach a Proxmox host or VM from outside without opening inbound ports. That part is great. But I think there is an easy design mistake here: making remote access easy does not...

Hi all, Current running a 3 node cluster with version 8.2.4, for what I can see its running iptables and not nftables. We wish to lock down our individual nodes or a cluster as a whole using GeoIP rule IPsets, and using the GUI for this is not an option (We are using the cluster/Node/VM built...

I currently run a Proxmox PVE and PBS in my home environment, both on their own physical machines. While this is great for the mandatory on-site backup, it doesn't help with natural disasters and such, so I really want to add an off-site solution. Luckily, my parents just got really fast fiber...

Hi I have a question: How to best secure PBS backup ? I can do lot of things, separated vLans for storage, firewall rules, but if someone hack the root of the PVE, which have a PBS mounted, so we have a problem. Attacker can read storage.cfg and storage.pw and use it for the connection to PBS...

Hello everyone, I wanted a lightweight UI accessible from anywhere to start/stop resources from my phone without exposing the Proxmox UI on the internet. I couldn’t find anything that already existed for this use case, so I built my own. In my setup, access security is handled with Cloudflare...

With Proxmox VE logins using OpenID include a group claim, the values of which can be added to permissions so that anyone authenticating with that same group claim will get the permissions indicated. With Proxmox Backup Server, any user logging in using OpenID will have their username created...

During a package audit, I noticed that several Samba-related packages — including samba-common, samba-common-bin, smbclient, and supporting libraries — are installed by default. When I ran a dry-run purge to see what would happen, APT reported that removing `samba-common` would also remove...

Can I ask why the No-Subscription and Test repo is only http? The site(download.proxmox.com) responds to https traffic already. Ok the certicate is not valide(altname missing) and the content differs from the http endpoint but would it not be more safe to host in with https, and seems easy to...

TL;DR How can I map the first user of each container to a different user in the host? My understanding is that the first user of each container is 1000 and it maps to a user 101000 in the host but, if I grant permissions to user 101000 on a host resource, both users on the two containers would...

Hallo zusammen, ich bin Firefox Beta Nutzer und habe ein interessantes Problem gefunden. Mein Server nutzt WebAuthn als zweiten Faktor und hat bis vor kurzem einwandfrei funktioniert. Seit kurzem war es mir jedoch nicht möglich mit dem Browser mich einzuloggen, ohne dass ich Änderungen am...

Hi I have noticed that the package repo for non-subscription use does not offer HTTPS. At least not with a valid certificate. The documentation says to use deb http://download.proxmox.com/debian/pve bookworm pve-no-subscription which works fine, but does not offer HTTPS. Are there any plans to...

Hello everyone, https://cti.wazuh.com/vulnerabilities/cves/CVE-2025-4517 I'm following the CVE-2025-4517 vulnerability that affects the Python tarfile module (especially since Python 3.12) and I have an important question: The vulnerability has been fixed in the most recent versions of...

I have high security applications, which I want to run on Proxmox. There was security incident before, when attacker could gain root access on host OS. I have no information about how it was done, but I want to minimize the chances. I want to keep host disconnected from internet and connect...

How to disable root GUI access for proxmox? I know we can disable whole of root but if i am not wrong nodes use root to communicate with each other.

Hello, I've been using Proxmox for several years and always made a rule to never tollback to a snapshot on a container that is running because it caused me and some colleagues big issues in the past. Now I was wondering as it is an issue that can often appears, is there a way to block the...