are there security best practices?

lralvarez

New Member
Apr 8, 2021
1
0
1
41
Hi, everyone

Im from mexico, im searching for best practices for hardening my proxmox installation.

Can you help me?
 

Dunuin

Famous Member
Jun 30, 2020
6,761
1,571
149
Germany
Fail2ban, RSA keys for SSH, 2FA or VPN would be a good start for securing your SSH/webUI. Enabling unattended security updates also might be useful. For your guests it might be good idea to put them behind a OPNsense/pfsense with IDS/IPS in one or multiple DMZs. In addition to that you should enable the firewall for each guest/node using the PVE webUI and set it up as strict as possible. Then you might want to upgrade your BIOS for the microcode updates and set the CPU flags for your VMs for the spectre/meltdown fixes.
Make sure your BMS isn't accessible.
Use a Proxmox Backup Server and snapshots against ransomware. Dont use privileged LXCs and prefer VMs over unprivileged LXC for better isolation. Use monitoring/logging tools like zabbix/graylog/aida to scan your metrics/logs for suspicius activities.
Get a subscription for the access to the enterprise repo.
...and hundreds of other things
 
Last edited:
  • Like
Reactions: lralvarez
Jan 4, 2022
16
2
3
20
Some Ideas of Security measurements (mostly going further than what you asked for)

The whole Infrastructure is behind OPNSense HA gateways, they run VPN and guest proxy/ reverse proxy. Servers use apt proxy, maybe your own mirror but this is mostly overkill for security reasons.
DNSSEC is also a great but IMO optional thing to do for most infrastructures.

The PVE servers are in a separate VLAN which cant be accessed by guests.

The guests run their network interfaces on bridges attached to e.g. eno1.66 and are not allowed to do tagging by themselves.
It is a good idea to also integrate some kind of centralized auth realm into your PVE. It comes with the risks and benefits but breaks it a bit more up than root@..

As mentioned above: RSA Keys + Passphrase, 2FA for every server + VPN.

you could run OpenVAS for a constant vulnerability scan for guests, internal and external applications.

Don't forget about physical security as well, motion detectors with intrusion alerts. Both silent and non-silent alarms. Disabling USB access, or better lock down the whole server/ rack/ row/ room/ building ;-)

Monitor wireless-lan network environment for fake access points, deauth attacks,...
 
  • Like
Reactions: lralvarez

LnxBil

Famous Member
Feb 21, 2015
6,323
783
163
Saarland, Germany
All good and valid points from @Dunuin and @sundxplosion. One additional thing: If you use ZFS, maybe disk encryption for guests is also a good idea, especially if you house your server elsewhere or in a not so secure location and want to be sure that your data is save in cold state.
 
  • Like
Reactions: lralvarez

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!