security

A friend starting into using Proxmox asked me a question today which I didn't offhand know the answer to and couldn't find a definitive answer on here. How do you know the LXC templates are trustworthy? LXC containers (as in the templates pulled down from pveam), I'm guessing they're pulled...

Building proxmox box which will host 20+ VMs. Need to ensure that: 1. VMs cannot talk to hypervisor, but VMs can all reach the internet 2. VMs cannot talk to other VMs 3. VMs cannot read or write to other VMs 4. Need to ensure that VMs cannot read or write to hypervisor Purpose is to avoid...

Has anyone experimented with Falco driver in Proxmox / Linux kernel and using it to secure containers? Use Case: Running Falco on a Linux host or running Falco userspace program in a container, with a driver installed on the underlying host. https://falco.org/docs/getting-started/

Hi, After checking quite a few articles found here and on some other websites, it's still not clear for me how one can add custom IPTables rules for each VM. Checking the current host with just one VM at the moment I can see: -A tap100i0-IN -p udp -m udp --sport 67 --dport 68 -j ACCEPT -A...

I'm migrating from VMWare-ESX to Proxmox. Previously I managed to used Private vlan on vmware and enhanced security for my customers and also used /32 IP address per customer. now I am not able to find a solution for this case in Proxmox. cloud anyone guide, what they have done to increase L2...

Abend zusammen, Wie „sicher“ ist eigentlich PCI-Passthrough? Ich bin aktuell am überlegen folgende Konstellation zu bauen: 1 Host mit einer zusätzlichen Netzwerkkarte. Die Karte hat 2x 10G. Die beiden Ports sollen per PCI-Passthrough an eine Virtuelle OPNsense weiter gereicht werden. Hinter...

Hi, i got 2 questions to properly secure my data. The setup is one server running PVE an another server running PBS. All on premise. The VMs are stored on thin-provisioned LVMs that are encrypted using LUKS. The key is stored on a hardware token. I am really happy with that. Works great and...

Apr 03 10:19:59 pve sshd[12301]: Unable to negotiate with 61.**.1*2.174 port 60790: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1 [preauth] Apr 03 09:56:19 pve sshd[9035]: Unable to negotiate with...

Hi, seems like Dirty Pipe wasn't the only vulnerability keeping us busy this week. I got notified about these new Security Advisories from Debian: https://www.debian.org/security/2022/dsa-5095 https://www.debian.org/security/2022/dsa-5096 I know Proxmox uses a modified Ubuntu Kernel but I was...

Dear Proxmox Team as of today a new security issue was published which also affects the kernels available for proxmox 7. it is dubbed dirtypipe and seems to allow privilege escalations on affected systems. all details can be found here: https://dirtypipe.cm4all.com/ i checked on my proxmox...

i've just found this: https://pwning.systems/posts/escaping-containers-for-fun/ They simply set /proc/sys/kernel/core_pattern to execute user provided binary in host context by triggering coredump inside of privileged docker container. Can this be done with privileged CTs on proxmox? Or is...

Guten Abend zusammen, ich bin aktuell dabei mein neuen Proxmox Host einzurichten. Der Host steht bei einem Anbieter im Rechenzentrum. Ich habe leider aktuell keine Möglichkeit den Host hinter eine Firewall etc. zu hängen, und versuche den Zugriff auf den Host so gut wie möglich abzusichern...

This may end up being quite a loaded question but… What would be the best/easiest way to setup SSL/secure communication for the WHOLE server including all VMs and Containers? Is it possible to have local/LAN access ONLY, with remote access only available via a VPN/tunnel? Would it be possible...

Hi, I have a question regarding required mitigation measures against spectre / meltdown / ... on different levels, i.e. what is needed where. As I understand it, already the host OS - Debian contains mitigations according to lscpu output: Vulnerability Itlb multihit: Not affected...

Hallo zusammen, nach der Meldung einer Sicherheitslücke im Linux-Kernel haben wir bei uns alle Server gepatcht, jetzt ist allerdings unklar ab welcher Version der PVE Kernel nicht mehr verwundbar ist. Habt ihr dazu die Infos? Über Google konnte ich leider nichts finden... Unsere PMGs stehen...

Hallo zusammen, ich bin neu in der Welt Proxmox und somit auch neu hier im Forum. Ich bin zurzeit im 3 Lehrjahr in meiner Ausbildung zum Systemintegrator, und habe mir seit gut einem halben Jahr ein Server bei einem Hoster gemietet. Auf dem Server experimentiere ich einfach ein wenig rum...

Hi everyone. Can someone point me in the direction of a log that records logins to the PMG interface (Failed and successful). Hoping it also records the IP address of the login attempts. Thanks!!

Hello, is it possible to mirror the network traffic of 1 virtual port in proxmox without tc? vmbr0 --> 6 virtual ports (important ens33, ens18) i want to mirror ens33 to ens18 that the Security Onion can only see her traffic is that possible without tc because tc not working for me Greets

Hi, I just checked an external backup and found these weird file names on it. Some 'Chinese' relation? I'm not able to change them. I'm backing up the same files on two other different devices. They don't have the same issues. So is it a security issue or is it a device issue?

Hello all, I want deploy snort in my VE, but i wounder what is the beast approach to do that. First idea is deploy vm with snort or something similar like suricata, but the real problem is ... how to redirect all traffic from NIC, VE from/to snort. I imagine it like this: vmbrX <-->...