Hardening proxmox security best practises.

N3ST

New Member
Aug 26, 2014
14
0
1
Hello everyone,

I started to use proxmox few month ago.

I wanted to know if it was a good idea to harden the security in Proxmox.

I have used lynis -c to audit the security on the server and made the change accoringdly.

I have also hardened the kernel by modifying the sysclt.conf using this article : http://www.cyberciti.biz/faq/linux-kernel-etcsysctl-conf-security-hardening/

I also installed clamav and created a cron job for a schedule scna once per week, and also rkhunter.

Is this a good idea modifying the hypervisor like that?

I also wanted to use either apparmor or grsecurity to further enhance the security.

Thank you in advance.

Best regards,

N3ST
 
Hi,Security is a tricky thing. You will never achieve 100%. So just do reasonable and adequate measures.At the moment it's better to hide hypervisor nodes behind the firewall. Use long passwords etc. I don't think installing extra packages helps that much but might frustrate the hypervisor OS. There will be significant security enhancements new 3.3: Firewall with cluster wide configuration and GUI, two factor authentication, and more. (see http://forum.proxmox.com/threads/19...ewall-Html5-Console-Two-factor-authentication)
 
What I think is important is to install fail2ban and add the Proxmox VE Webinterface to be monitored by fail2ban to stop bruteforce password attacks.

Install fail2ban and add the following to the config:
/etc/fail2ban/jail.local:
Code:
##### PROXMOX2: START######
[proxmox2]
enabled = true
port    = https,http,8006
filter  = proxmox2
logpath  = /var/log/daemon.log
maxretry = 7
bantime  = 43200 #12hours
##### PROXMOX2: END######

And create a new config file in /etc/fail2ban/filder.d/proxmox2.conf with the following content:
Code:
# Fail2Ban configuration file
#
# Author: eXtremeSHOK.com
#
# $Revision: 201 $
#
[Definition]
# Option:  failregex
# Notes.:  regex to match the password failure messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT
#
failregex = pvedaemon\[.*authentication failure; rhost=<HOST> user=.*msg=.*
# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =


You might also want to harden the SSL CipherSuites that the Webinterface provides, you can tweak them to your needs in the /etc/default/pveproxy file.
I (as an example! Please consider testing and reading up about openssl ciphersuites!) am using this:
Code:
CIPHERS='ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:!aNULL:!MD5:!DSS'


Then I can be good practise to hide the process list from other unpriviledged users to isolate them to only their own process list by adding the "hidepid=2" option to /etc/fstab file, so the proc /proc line of fstab looks like this:
Code:
proc /proc proc defaults,hidepid=2 0 0


And as you most probably don't need rpc.statd to listen on your public network interface add the following to /etc/default/nfs-common file:
Code:
STATDOPTS="--name 127.0.0.1"
so it only listens locally.

Of course you could do much more, but thats just some very basic stuff I do on my Proxmox hosts.
 
Hello thank you for all you advice.

I will install fail2ban and follow you recommendations.

Do you know when proxomox 3.3 will be available, do you ave an ETA?

Thank you in advance.

Best regards,

Vincent
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!