security

  1. how to secure proxmox installation

    Hi all, So I have a proxmox cluster at home and I would like to make its installation more secure. I put the proxmox cluster in a DMZ, and have the Office network behind another firewall using NAT. What would be the best way to allow the access to the proxmox cluster resources securely and only...
  2. New proxmox deploy - is this way to go with disks?

    Hey guys, I am building my first production Proxmox - not my first virt mind you, but costs are astronomical with 'other' virtualization options. Anyway. I have specific needs and specific setup - regarding the setup, lets leave that. My question is this - from your experience - is this...
  3. Hundreds of usernames, IP addresses, and ports in the Syslog

    We are currently setting up our servers. I recently checked the Syslog and see several hundred usernames, IP addresses and ports. Is this normal?
  4. Proxmox behind Virtual-FW and DMZ-Zone

    Hi all, As of today I'm running some Raspberry Pi's at home providing some services (nextcloud, mailserver etc.) for me and a few friends(we're running a "art/draw club"). Since I was able to get an old workstation from work and I didn't really cared about security back when I was setting the...
  5. Gaia

    [SOLVED] RKhunter /dev warnings

    On PVE 6, I've installed rkhunter and ran --propudp, but it sends me every day: Warning: Suspicious file types found in /dev: /dev/shm/qb-1800-10101-29-di6DkD/qb-event-pve2-data: Hitachi SH big-endian COFF object file, not stripped, 0 section...
  6. Gaia

    QEMU VM Escape (CVE-2019-14378)

    I understand the problem is deeper down the stack, but is there anything we can do mitigate this vuln? https://blog.bi0s.in/2019/08/24/Pwn/VM-Escape/2019-07-29-qemu-vm-escape-cve-2019-14378/
  7. Proxmox on remote server: security best practices?

    Hi, I'm considering switching my current 'cloud' VPS setup to a dedicated server (e.g. Hetzner) with Proxmox running 2-3 VMs. Currently I'm only running Proxmox in my homelab, which works great but obviously has other security requirements than a remote setup. Are there any pointers to best...
  8. V5.4 : does qm vncproxy not support VeNCrypt/X509Plain anymore ?

    Hi, For some reasons irrelevant to explain, I used to connect to VMs with an external VNC Viewer (TigerVNC), by setting up inetd.conf on the server. Until PVE 5.1 everything worked fine. I just set up a 5.4 server, and now vncviewer only prompts for password, not for username. It seems PVE...
  9. Logs in proxmox node

    Hi, For traceability reasons, I would like to retrieve the security events of the the creation, modification and deletion of users. The same goes for firewall rules. Do you know if it is possible to make the logs more verbose on these two points? Thanks,
  10. U2F Key Integration and Backup Codes

    Hello everyone, I have used the Microsoft Authenticator for quiet a long time. Now I've purchased a U2F-Key, because I don't want to have to go to the other side of the room to grab my phone, unlock it, open Authenticator, log in again, read the code and type it in. Also I want to be able to...
  11. magicfab

    [TUTORIAL] Setting up Proxmox VE OATH (TOTP) 2FA

    Hi, I've written a detailed How To for setting up OATH (TOTP) 2FA in Proxmox VE: https://pve.proxmox.com/wiki/OATH(TOTP)_Authentication Any feedback is welcome.
  12. [SOLVED] Proxmox secure firewall?

    Loving Proxmox at the moment. I wondered how good the Proxmox built in firewall was in a securing VMs/LXcs sense compared to virtualizing something like pfSense as either a VM or LXC. I'd appreciate users mileage on this one. I know that pfSense is a dedicated firewall application and so has...
  13. Mirroring incoming/outgoing traffic to a ntopng (security analysis) VM on same node - best practices

    Hi, I'm setting up a single Proxmox node with multiple Windows VMs. The physical server has multiple onboard NICs (i.e. on the motherboard). I'd like to use ntopng to monitor all incoming/outgoing traffic from those Windows VMs. Ideally, I'd like to run a Linux instance with ntopng on the...
  14. Wiki improvement: Web Interface via Nginx Proxy

    Hi, I propose that these lines are added to the article here in order to fix the boot order of the services. Otherwise nginx won't come up correctly after reboot because the certificate files are not available before pve-cluster service was started. sed -i...
  15. LXC: Disabled dmesg, syslog still sees kernel messages

    Hi! I put syslog errno 1 line into the /usr/share/lxc/config/common.seccomp file and it does perfect job preventing containers to see what's in dmesg: # dmesg dmesg: read kernel buffer failed: Operation not permitted but i had recently found, that the kernel messages are getting to syslog, so...
  16. hakim

    How to mitigate the impact of a compromised cluster node ?

    Hi, In a cluster, every nodes can access each other with root privileges. Therefore, if one node get compromised all other are also compromised. Is there a way to mitigate the impact of a compromised cluster node on the other nodes ? A way to maybe only give an elevation of privilege to the...
  17. onlime

    Ping with unprivileged user in LXC container / Linux capabilities

    On Proxmox VE 5.1, inside an LXC container, I cannot ping with unprivileged user. It gives me the following error: $ ping google.ch ping: socket: Operation not permitted On the hostnode itself I can ping with both unprivileged user and root, but inside an LXC container only as root. The...
  18. Frage zu Container und "Unprivileged"

    Hallo, eine Frage zu dem Thema "Unprivileged Container". Bei einem Unpriviligiertem Container werden ja die UID umgemappt, um die Sicherheit zu erhöhen. Damit ist wenn jemand aus dem Container ausbricht, er "nur" mit Nutzerrechten unterwegs. So weit so gut. Wenn ich aber nun mehrere Container...
  19. Two Factor Authentication For Proxmox

    Hi everybody, I'm trying to add two factor authentication for the proxmox login for extra security. I having hard time finding a tutorial and the documentation is not very clear. Anyone Can help me set it up ?
  20. BelCloud

    QEMU update. reboot?

    Hello I've seen some vulnerabilities in qemu-kvm, that were recently patched. For ex, CVE-2017-7980 In the redhat announcements, i saw they require a stop of all VMs for the update to take effect. Do we need to follow the same procedure when proxmox updates the qemu? Or it's patched in...

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE and Proxmox Mail Gateway. We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!