Malware Protection on Proxmox Host reasonable?

Discussion in 'Proxmox VE: Networking and Firewall' started by BEHIND-IT, Jan 9, 2019.

  1. BEHIND-IT

    BEHIND-IT New Member

    Joined:
    Nov 4, 2017
    Messages:
    2
    Likes Received:
    0
    Happy new year everyone!

    I'm thinking about installing a some sort of advanced malware protection software on the Proxmox host, because in my opinion it shouldn't give a system without it regarding attacks out of vms / containers on INTEL / AMD or KVM / LXC. But i'm aware it maybe break wanted calls / function of Proxmox, like Clustering, KVM, CEPH, or LXC because of the "intelligent" / AI and so called algorithms which false positive intercept data streams.

    Maybe i'm too security focused / fearful / paranoid. ;)
    Whats your opinion or experience about this?

    Should reducing attack surface, clean separated networks for vms and management, activated restrictive FW ruleset within Proxmox cluster and strong passwords / passphrase protected keys be sufficient?

    Many thanks in advance!

    Best regards
    O.

    ---
    Edit: Typo.
     
  2. spirit

    spirit Well-Known Member

    Joined:
    Apr 2, 2010
    Messages:
    3,220
    Likes Received:
    119
    not really an antimalware (local scannin), but I'm running suricata ids on host to monitor network traffic, without any problem.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. guletz

    guletz Active Member

    Joined:
    Apr 19, 2017
    Messages:
    705
    Likes Received:
    100
    This are only minimal to do. Sufficient? It is hard to say! Another tasks that you could do:

    - proactive firewall(if somone will try to connect to some well known ports like ssh,mysql,telnet, etc -> block this IP for X hours)
    - firewall dns (see https://abuse.ch/ )
    - HIDS, central syslog, monitoring(bandwith, trafic volume/time for up/down)
     
    #3 guletz, Jan 9, 2019
    Last edited: Jan 9, 2019
  4. spirit

    spirit Well-Known Member

    Joined:
    Apr 2, 2010
    Messages:
    3,220
    Likes Received:
    119
    >>- proactive firewall(if somone will try to connect to some well known ports like ssh,mysql,telnet, etc -> block this IP for X hours)
    I'm using www.bitninja.io, botnet ip reputation + honeyport. but in my vms (never tested with proxmox host, as it's mainly iptables+ipset based)

    >>- firewall dns (see https://abuse.ch/ )
    I'm using 9.9.9.9 (quad9)

    >>- HIDS,
    I'm using wazuh, works fine with debian. (ossec based + kibana)

    >>central syslog
    central rsyslogd + forwarding to elastic/kibana

    >> monitoring(bandwith, trafic volume/time for up/down)
    telegraf + influxdb
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    guletz likes this.
  5. guletz

    guletz Active Member

    Joined:
    Apr 19, 2017
    Messages:
    705
    Likes Received:
    100
    Hi @spirit ,

    Thx. Good points. I also use ossec, but not kibana, as I do not want/like to use any java base appl.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice