How to limitate 8006 port on the web

sebastiano

Active Member
Jan 10, 2017
14
0
41
39
Hi, for reasons of need, I need to remotely access some proxmox installations via web interface, I would like to limit access to my public IP, or find a solution that limits the exposure of this port on the web, could anyone help me give some tips or tell me if there are any guides on this?
I looked for something online but nothing. I'll start by saying that unfortunately not all hosts have proxmox 8.x, I have one with version 6.x.
Thanks to anyone who can direct me
 
Access via public IP? That means you want your hosts to have open internet access?

That is a bad idea for many reasons.

I would suggest a private VPN to each site so you can securely access the hosts.
 
Hi, for reasons of need, I need to remotely access some proxmox installations via web interface, I would like to limit access to my public IP, or find a solution that limits the exposure of this port on the web

You should never expose your management to the world wide web, Proxmox VE is basically insecure install, it should have separate VLAN even on LAN. You need a VPN or at the least reverse proxy. If it's a one off, I would even SSH tunnel into the LAN (onto some other host than PVE) and take it from there.
 
If you have to put Proxmox onto the internet, I'd suggest using something like Cloudflare and their ZeroTrust solution. This means you can only access private resources over the public internet after having authenticated with Cloudflare -- or more specifically, with your OpenID provider of choice. If you or your users already have Google, Facebook, Amazon, GitHub ... accounts, you can use those accounts for your SSO solution.
 
Last edited by a moderator:
  • Like
Reactions: esi_y
Can I find some tutorials to test yours ideas?
That is a whole side adventure on its own. To be honest I would tread lightly if you are not use to working in and around routers and associated infrastructure.

That being said, I would start with a small lab environment that is NOT your production equipment. Figure out what VPN your router supports and start there.

I personally use Wireguard hosted on a Mikrotik router at most of my remote sites. Once the tunnel is active, you can easily access anything on the network.

Good luck!
 
Can I find some tutorials to test yours ideas?

I don't want to make this forum into networking (or some other product) tutorials, I have no idea what is your use case, but you sound like the sites over have proper infrastructure in place.

I will just drop ONE (actually two, but you get the idea) example (of many) reference to here:
https://docs.netgate.com/pfsense/en/latest/recipes/wireguard-s2s.html
https://docs.netgate.com/pfsense/en/latest/recipes/wireguard-s2ms.html

This to get the concept, I know many homelabbers like pfSense/OPNSense, but anyhow I would typically have this set on some appliance (they are meant for exactly that) at each site. It does not have to be wireguard, but it's probably simpler to setup from scratch. Same concept to applies to IPsec, it is bit neater when you can have all IPv6, but anyhow, you want to be transparently able to access each of your sites like it was local.

I am aware you can do other setups, you can even just wireguard expose one particular host, but this is not what I would pick for professional setup. So at least you have a concept to start with. For tutorials, you will need to take it based on your hardware.

But again, there are many other options, the Cloudflare approach is what is probably good enough for a home user unless you expect Cloudflare to be compromised or a threat to you:
https://developers.cloudflare.com/l...s/connect-private-applications/create-tunnel/

Most importantly: If set up well, any of these are MUCH better than trying to have firewall restricted access to PVE sitting on the internet.
 
Last edited:
  • Like
Reactions: sierra_mike
Most importantly: If set up well, any of these are MUCH better than trying to have firewall restricted access to PVE sitting on the internet.
off topic, but where vpn is better than iptables rules (used by PVE Firewall) ? imo, mostly use iptables rules...

edit: Actually I've more PVE with vpn access than iptables rules, but now since I've few statics ip, I deploy iptables rules, faster, cleaner, and why not : more secure)
 
Last edited:
off topic, but where vpn is better than iptables rules (used by PVE Firewall) ? imo, mostly use iptables rules...

It's not off-topic, it's actually a good point to emphasise. You are correct, i.e. VPNs have not much to do do with netfilter (i.e. iptables).

First of all, a firewall (as in, some appliance) is not just a packet filter, it can include ALG, IDS/IPS but also tunneling (VPNs inclusive). My point was not comparing tunneling with packet filtering. My point is that you want to be tunneling through a dedicated firewall rather than packet filtering on host with open ports. You would even cascade this, on purpose, i.e. 2 different firewall solutions (unlikely to have same vulnerability at once). It's only once you are past these, you can access anything on any hosts. And that's when you want to tunnel it (for convenience). You can absolutely have additional firewalls on your hypervisor, but you may as well forgo it and have everything segmented into VLANs where your appliances take care of the network. In a more complex setup you have even some SDN, but when it's about to leave and traverse the Internet, you want to have it encapsulated.

A tunnel solves several issues transparently: you have one separate stack to worry about security, one that has that as its primary purpose (you definitely want to keep that one professionally maintained), once in a tunnel, whatever traffic is safe from eavesdropping and will reach the other end integrity guaranteed. Whatever vulnerabilities there are in the holes you will need to keep open (i.e. PVE proxy, SSH), they are as safe as on your private network. You are also not touching such network setup all that often, i.e. less likely to get misconfigured. And if you do misconfigure it, you can get a notification from your vulnerability scanner that does check periodically.

So if you set your netfilter on Debian well, I am sure it's fine, except you have to keep ports open, which I do not want, not even SSH (there was a zero day, first in 20 years, not that long ago [1][2]). I would definitely not want to keep PVE proxy open to the world, not even behind reverse proxy.

Or put another way, have you ever heard of a rolling release security gateway solution?

EDIT:

[1] https://nvd.nist.gov/vuln/detail/CVE-2024-6409
[2] https://nvd.nist.gov/vuln/detail/CVE-2024-6387
 
Last edited:
since I've few statics ip, I deploy iptables rules, faster, cleaner, and why not : more secure)

You assume limiting access to statically defined IPs from the other end is more secure? You do not control what IPs will show up in the headers from the wild wide Internet. Or is everything all in your own ASN?
 
Last edited:
I can only strongly re-iterate the recommendation for Cloudflare.

Zero Trust is super convenient for end-users, as you don't need any client software. It's IMHO easier to get right than installing a VPN and making sure that you didn't accidentally make a mistake. It protects against a whole slew of additional types of attacks. And unless you are worried to be the victim of a targeted attack by Cloudflare itself (unlikely unless you are a high-profile international politician, and some shady organization can subvert Cloudflare), it gets you a lot more security professionals actively working on your behalf than pretty much any other solution out there.

Also, if you like WireGuard as a security protocol, you should be aware that Cloudflare traditionally used WireGuard between your systems and their data centers. But I think they might be in the process of upgrading some of these protocols.

It of course is conceivable for Cloudflare to get compromised. That's an impossible promise to make. Every product has flaws, and every organization makes mistakes or is subject to corruption by well-healed government entities. But realistically, if Cloudflare had a viable weakness, every single pager of every single person working an IT job for a Fortune 500 would go off simultaneously. It is that much of a big deal. Whatever you do at home, you are small fry by comparison and holes will be patched long before you are even on the radar of any attacker.

If your system gets compromised, it'll be by something other than a weakness in their public reverse proxy.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!