security

  1. magicfab

    [TUTORIAL] Setting up Proxmox VE OATH (TOTP) 2FA

    Hi, I've written a detailed How To for setting up OATH (TOTP) 2FA in Proxmox VE: https://pve.proxmox.com/wiki/OATH(TOTP)_Authentication Any feedback is welcome.
  2. K

    [SOLVED] Proxmox secure firewall?

    Loving Proxmox at the moment. I wondered how good the Proxmox built in firewall was in a securing VMs/LXcs sense compared to virtualizing something like pfSense as either a VM or LXC. I'd appreciate users mileage on this one. I know that pfSense is a dedicated firewall application and so has...
  3. V

    Mirroring incoming/outgoing traffic to a ntopng (security analysis) VM on same node - best practices

    Hi, I'm setting up a single Proxmox node with multiple Windows VMs. The physical server has multiple onboard NICs (i.e. on the motherboard). I'd like to use ntopng to monitor all incoming/outgoing traffic from those Windows VMs. Ideally, I'd like to run a Linux instance with ntopng on the...
  4. L

    Wiki improvement: Web Interface via Nginx Proxy

    Hi, I propose that these lines are added to the article here in order to fix the boot order of the services. Otherwise nginx won't come up correctly after reboot because the certificate files are not available before pve-cluster service was started. sed -i...
  5. H

    LXC: Disabled dmesg, syslog still sees kernel messages

    Hi! I put syslog errno 1 line into the /usr/share/lxc/config/common.seccomp file and it does perfect job preventing containers to see what's in dmesg: # dmesg dmesg: read kernel buffer failed: Operation not permitted but i had recently found, that the kernel messages are getting to syslog, so...
  6. hakim

    How to mitigate the impact of a compromised cluster node ?

    Hi, In a cluster, every nodes can access each other with root privileges. Therefore, if one node get compromised all other are also compromised. Is there a way to mitigate the impact of a compromised cluster node on the other nodes ? A way to maybe only give an elevation of privilege to the...
  7. onlime

    Ping with unprivileged user in LXC container / Linux capabilities

    On Proxmox VE 5.1, inside an LXC container, I cannot ping with unprivileged user. It gives me the following error: $ ping google.ch ping: socket: Operation not permitted On the hostnode itself I can ping with both unprivileged user and root, but inside an LXC container only as root. The...
  8. Y

    Frage zu Container und "Unprivileged"

    Hallo, eine Frage zu dem Thema "Unprivileged Container". Bei einem Unpriviligiertem Container werden ja die UID umgemappt, um die Sicherheit zu erhöhen. Damit ist wenn jemand aus dem Container ausbricht, er "nur" mit Nutzerrechten unterwegs. So weit so gut. Wenn ich aber nun mehrere Container...
  9. D

    Two Factor Authentication For Proxmox

    Hi everybody, I'm trying to add two factor authentication for the proxmox login for extra security. I having hard time finding a tutorial and the documentation is not very clear. Anyone Can help me set it up ?
  10. BelCloud

    QEMU update. reboot?

    Hello I've seen some vulnerabilities in qemu-kvm, that were recently patched. For ex, CVE-2017-7980 In the redhat announcements, i saw they require a stop of all VMs for the update to take effect. Do we need to follow the same procedure when proxmox updates the qemu? Or it's patched in...
  11. M

    Critical security bug in NoVNC console

    Today, I was editing a product in WHMCS, and by "mistake" I saved the order with the "Server:" selected as another node, that it should really be. What happened after was horrible, because the user opened his console, and the was connected to another VM on another NODE, seeing the whole...
  12. M

    Suricata IDS not getting external requests

    Hello, I managed to correctly configure the firewall with Proxmox 4.4 and its integration with Suricata (using this wiki page : https://pve.proxmox.com/wiki/Firewall#_tips_and_tricks). I enabled the HTTP log in Suricata, but I only see inter-vm communications, and not the incoming requests...
  13. G

    SSH TFA blockt Console

    Hallo zusammen, ich habe folgendes Problem: Ich nutze eine TFA mit OTPs sowohl in der Webgui als auch für SSH. Mir ist dann aufgefallen, dass der Zugriff auf die VM Console nicht mehr funktioniert, wenn diese auf einem anderen Server liegt. Heißt ich bin auf Server 1 angemeldet und möchte auf...
  14. A

    containers displaying all storage on host

    I've been playing with containers on my lab cluster, and I noticed that containers can see ALL storage attached to the host by simply checking lsblk, either with priviledged or unpriviledged containers. Is this the correct behavior? if so, how can I go about masking the host's storage from the...
  15. Y

    Suricata Testing

    Hello, i'm testing Suricata as IDS (not IPS).... i have installed all the stuff and i have configured a single VPS debian LXC with LAMP. How can i test if suricata works ? I have tested a query string on the VPS like this...
  16. M

    Ways to pass a user Authentication token??

    .no.help.here. (EDIT)
  17. onlime

    CVE-2016-5195 Dirty COW

    Can you give us a time frame when kernel 4.4.19-1-pve (latest available AFAIK) is going to be patched for CVE-2016-5195 / Dirty COW ?
  18. M

    LXC privilege level?

    I'm up and running with PVE v4.1, and I rather like it so far. However, I ran into a little security snag with LXC today, and that made med start to dig a bit more into LXC security, but first the problem that triggered it all. The problem is that you can view the complete output of the host...
  19. Y

    Security Problem server Violated

    Hello, i have several server violated, root escaletion. Some details: ---------------------------------------------------------------- root@prx:/home/enrico# lsof -p 361304 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME 503 361304 root cwd DIR 0,25 4096...
  20. JonathanB19

    Warning about public portmapper on PVE host

    Sorry if this has been mentioned before but I can't initially find anything. Just got a warning from my ISP about this: The folks at shadowserver security group are reporting open portmapper hosts to us, these need to get fixed as they can be used in amplification denial of service attacks...