best practice for SSH into PVE & VM
- Thread starter vesuvienne
- Start date
The "Safest" method of course would be no (outside-network) remote access.
If you had to give remote access that is not IP-restricted I would go with option 1. One entrance into the network (on an alternate port obviously), and if they gain access to your host, they can always mess with the VM's anyway (on-boot password reset, or just remove the system). Why not option 3? If you accidentally shut down that VM or a problem during a proxmox-reboot causes it to not boot, you can't get access to proxmox to start it again, if you shut down proxmox, you'll have to use a button-push or use an ILO/IPMI anyway.
That said, if you have the option for a (good/secure) user-VPN on your router, I would add that to the mix, throwing up multiple barriers, while for you it's simply turning it on and entering your VPN-password.
If this is all in-house though, or from an IP-restricted location (aka only port-forwards/-access from a specific IP), I would go with option 2 actually, If someone steals/gets access to your laptop, it doesn't matter if you have 1, 4 or 400 keys, they are on your laptop and they get access.
Note, all just my personal opinion from experience, others might disagree, and I welcome any input, but the above would be the method I would at least look at if I was in such a situation.
If you had to give remote access that is not IP-restricted I would go with option 1. One entrance into the network (on an alternate port obviously), and if they gain access to your host, they can always mess with the VM's anyway (on-boot password reset, or just remove the system). Why not option 3? If you accidentally shut down that VM or a problem during a proxmox-reboot causes it to not boot, you can't get access to proxmox to start it again, if you shut down proxmox, you'll have to use a button-push or use an ILO/IPMI anyway.
That said, if you have the option for a (good/secure) user-VPN on your router, I would add that to the mix, throwing up multiple barriers, while for you it's simply turning it on and entering your VPN-password.
If this is all in-house though, or from an IP-restricted location (aka only port-forwards/-access from a specific IP), I would go with option 2 actually, If someone steals/gets access to your laptop, it doesn't matter if you have 1, 4 or 400 keys, they are on your laptop and they get access.
Note, all just my personal opinion from experience, others might disagree, and I welcome any input, but the above would be the method I would at least look at if I was in such a situation.
I would connect to host directly :
1/ VPN (when you connect from random WAN ip)
2/ Enable and Add Firewall rules if you connect from static WAN ip.
3/ Add Firewall rule to allow SSH only on public ipv6 (greatly reduce bot access, at least, imo for the next years)
1/ VPN (when you connect from random WAN ip)
2/ Enable and Add Firewall rules if you connect from static WAN ip.
3/ Add Firewall rule to allow SSH only on public ipv6 (greatly reduce bot access, at least, imo for the next years)
Last edited: