security

Hi, I've written a detailed How To for setting up OATH (TOTP) 2FA in Proxmox VE: https://pve.proxmox.com/wiki/OATH(TOTP)_Authentication Any feedback is welcome.

Loving Proxmox at the moment. I wondered how good the Proxmox built in firewall was in a securing VMs/LXcs sense compared to virtualizing something like pfSense as either a VM or LXC. I'd appreciate users mileage on this one. I know that pfSense is a dedicated firewall application and so has...

Hi, I'm setting up a single Proxmox node with multiple Windows VMs. The physical server has multiple onboard NICs (i.e. on the motherboard). I'd like to use ntopng to monitor all incoming/outgoing traffic from those Windows VMs. Ideally, I'd like to run a Linux instance with ntopng on the...

Hi, I propose that these lines are added to the article here in order to fix the boot order of the services. Otherwise nginx won't come up correctly after reboot because the certificate files are not available before pve-cluster service was started. sed -i...

Hi! I put syslog errno 1 line into the /usr/share/lxc/config/common.seccomp file and it does perfect job preventing containers to see what's in dmesg: # dmesg dmesg: read kernel buffer failed: Operation not permitted but i had recently found, that the kernel messages are getting to syslog, so...

Hi, In a cluster, every nodes can access each other with root privileges. Therefore, if one node get compromised all other are also compromised. Is there a way to mitigate the impact of a compromised cluster node on the other nodes ? A way to maybe only give an elevation of privilege to the...

On Proxmox VE 5.1, inside an LXC container, I cannot ping with unprivileged user. It gives me the following error: $ ping google.ch ping: socket: Operation not permitted On the hostnode itself I can ping with both unprivileged user and root, but inside an LXC container only as root. The...

Hallo, eine Frage zu dem Thema "Unprivileged Container". Bei einem Unpriviligiertem Container werden ja die UID umgemappt, um die Sicherheit zu erhöhen. Damit ist wenn jemand aus dem Container ausbricht, er "nur" mit Nutzerrechten unterwegs. So weit so gut. Wenn ich aber nun mehrere Container...

Hi everybody, I'm trying to add two factor authentication for the proxmox login for extra security. I having hard time finding a tutorial and the documentation is not very clear. Anyone Can help me set it up ?

Hello I've seen some vulnerabilities in qemu-kvm, that were recently patched. For ex, CVE-2017-7980 In the redhat announcements, i saw they require a stop of all VMs for the update to take effect. Do we need to follow the same procedure when proxmox updates the qemu? Or it's patched in...

Today, I was editing a product in WHMCS, and by "mistake" I saved the order with the "Server:" selected as another node, that it should really be. What happened after was horrible, because the user opened his console, and the was connected to another VM on another NODE, seeing the whole...

Hello, I managed to correctly configure the firewall with Proxmox 4.4 and its integration with Suricata (using this wiki page : https://pve.proxmox.com/wiki/Firewall#_tips_and_tricks). I enabled the HTTP log in Suricata, but I only see inter-vm communications, and not the incoming requests...

Hallo zusammen, ich habe folgendes Problem: Ich nutze eine TFA mit OTPs sowohl in der Webgui als auch für SSH. Mir ist dann aufgefallen, dass der Zugriff auf die VM Console nicht mehr funktioniert, wenn diese auf einem anderen Server liegt. Heißt ich bin auf Server 1 angemeldet und möchte auf...

I've been playing with containers on my lab cluster, and I noticed that containers can see ALL storage attached to the host by simply checking lsblk, either with priviledged or unpriviledged containers. Is this the correct behavior? if so, how can I go about masking the host's storage from the...

Hello, i'm testing Suricata as IDS (not IPS).... i have installed all the stuff and i have configured a single VPS debian LXC with LAMP. How can i test if suricata works ? I have tested a query string on the VPS like this...

.no.help.here. (EDIT)

Can you give us a time frame when kernel 4.4.19-1-pve (latest available AFAIK) is going to be patched for CVE-2016-5195 / Dirty COW ?

I'm up and running with PVE v4.1, and I rather like it so far. However, I ran into a little security snag with LXC today, and that made med start to dig a bit more into LXC security, but first the problem that triggered it all. The problem is that you can view the complete output of the host...

Hello, i have several server violated, root escaletion. Some details: ---------------------------------------------------------------- root@prx:/home/enrico# lsof -p 361304 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME 503 361304 root cwd DIR 0,25 4096...

Sorry if this has been mentioned before but I can't initially find anything. Just got a warning from my ISP about this: The folks at shadowserver security group are reporting open portmapper hosts to us, these need to get fixed as they can be used in amplification denial of service attacks...