Possible to change Proxmox default port now?

[kotakomputer]

5 years ago, users asked how to change Proxmox port 8006. Is it possible now?

 

[tom]

See https://pve.proxmox.com/wiki/Web_Interface_Via_Nginx_Proxy

 

[LnxBil]

You can also change it via iptables, e.g. add this to your network device in /etc/network/interfaces:

post-up iptables -t nat -A PREROUTING -d <your-ip> -p tcp --dport 443 -j REDIRECT --to-port 8006 || true

 

[kotakomputer]

You can also change it via iptables, e.g. add this to your network device in /etc/network/interfaces:

post-up iptables -t nat -A PREROUTING -d <your-ip> -p tcp --dport 443 -j REDIRECT --to-port 8006 || true

Does this will change port so hacker can not access 8006 anymore?

 

[kotakomputer]

See https://pve.proxmox.com/wiki/Web_Interface_Via_Nginx_Proxy

This guide is useless, because I still can access 8006, so do the Hacker sir and put nginx mean give more oppurtunity for hacker, also make additional server load

 

[LnxBil]

Does this will change port so hacker can not access 8006 anymore?

Then you need another iptables rule.

 

[LnxBil]

This guide is useless, because I still can access 8006, so do the Hacker sir and put nginx mean give more oppurtunity for hacker, also make additional server load

You should not expose the port to the world, so as long as it faces to the public, it can be attacked independend of the used port. There are only 65536 ports that are blazingly fast scanned for a running HTTP(s) server.

 

[guletz]

You should not expose the port to the world, so as long as it faces to the public, it can be attacked independend of the used port

Corect!

What you can do:


1. Use any decent VPN:
- on PMX node(not so good), and expose 8006 only for VPN and for your LAN
- or, better is to setup a VPN on your border router

2. Port Knocking
- on PMX node
- better, on your border router

3. More secure then 1. and 2(IMHO)
- Mikrotik as border router
- access on border router only for a few DDNS clients(admin PC) who will be able to connect with a VPN to any PMX host

In the last case I have not see any "stranger" connections during several years.


Good luck / Bafta !

 

[LnxBil]

Good points @guletz, but you forgot

0. Use a static IP as a client and allow only that IP through your PVE firewall.

 

[guletz]

Good points @guletz, but you forgot

0. Use a static IP as a client and allow only that IP through your PVE firewall.

Ideed.

 

[renne]

Why does Proxmox use port 8006 instead of the standard port 443?
It makes things complicated in VPNs if users have to remind the additional port.

 

[panchuz]

3. More secure then 1. and 2(IMHO)
- Mikrotik as border router
- access on border router only for a few DDNS clients(admin PC) who will be able to connect with a VPN to any PMX host

Great idea!!! Thanks
Any guide and/or tip on implementing this access restriction on software for not-Mikrotik users?

My router won´t allow anything but a static ip for connection source whitelisting.

 

[guletz]

Great idea!!! Thanks
Any guide and/or tip on implementing this access restriction on software for not-Mikrotik users?

Hi,

You can install zerotier on your PMX node, it is also a Tutorial about this subject on this Forum, if I remember!

Good luck / Bafta !

 

[reukiodo]

After a lot of digging, found out that I can reset the webui to run on port 443 like it used to in Proxmox 2 and earlier. As this is weirdly a hard-coded value, it takes a lot more editing than a simple config change.

# Change Proxmox default port
sed -i 's|8006|443|g' /usr/share/perl5/PVE/Firewall.pm
sed -i 's|8006|443|g' /usr/share/perl5/PVE/Cluster/Setup.pm
sed -i 's|8006|443|g' /usr/share/perl5/PVE/APIServer/AnyEvent.pm
sed -i 's|8006|443|g' /usr/share/perl5/PVE/API2/LXC.pm
sed -i 's|8006|443|g' /usr/share/perl5/PVE/API2/Qemu.pm
sed -i 's|8006|443|g' /usr/share/perl5/PVE/APIClient/LWP.pm
sed -i 's|8006|443|g' /usr/share/perl5/PVE/CLI/pct.pm
sed -i 's|8006|443|g' /usr/share/perl5/PVE/CLI/qm.pm
sed -i 's|8006|443|g' /usr/share/perl5/PVE/Service/pveproxy.pm
echo 'net.ipv4.ip_unprivileged_port_start=0' > /etc/sysctl.d/50-unprivileged-ports.conf
reboot

 

[Dunuin]

Why does Proxmox use port 8006 instead of the standard port 443?

There is no "Proxmox". Proxmox VE uses 8006 and Proxmox Backup Server 8007. And you can run both in parallel bare metal on the same host. Wouldn't work if both webUIs would use the default port 443.

# Change Proxmox default port
sed -i 's|8006|443|g' /usr/share/perl5/PVE/Firewall.pm
sed -i 's|8006|443|g' /usr/share/perl5/PVE/Cluster/Setup.pm
sed -i 's|8006|443|g' /usr/share/perl5/PVE/APIServer/AnyEvent.pm
sed -i 's|8006|443|g' /usr/share/perl5/PVE/API2/LXC.pm
sed -i 's|8006|443|g' /usr/share/perl5/PVE/API2/Qemu.pm
sed -i 's|8006|443|g' /usr/share/perl5/PVE/APIClient/LWP.pm
sed -i 's|8006|443|g' /usr/share/perl5/PVE/CLI/pct.pm
sed -i 's|8006|443|g' /usr/share/perl5/PVE/CLI/qm.pm
sed -i 's|8006|443|g' /usr/share/perl5/PVE/Service/pveproxy.pm
echo 'net.ipv4.ip_unprivileged_port_start=0' > /etc/sysctl.d/50-unprivileged-ports.conf
reboot

That doesn't look like a reliable solution. I would guess a upgrade could revert your changes and might even lock you out from the webUI.

 

[guletz]

Hi,

echo 'net.ipv4.ip_unprivileged_port_start=0' > /etc/sysctl.d/50-unprivileged-ports.conf

This is not a safe setting ....

Good luck / Bafta !

 

[LnxBil]

After a lot of digging, found out that I can reset the webui to run on port 443 like it used to in Proxmox 2 and earlier. As this is weirdly a hard-coded value, it takes a lot more editing than a simple config change.

# Change Proxmox default port
sed -i 's|8006|443|g' /usr/share/perl5/PVE/Firewall.pm
sed -i 's|8006|443|g' /usr/share/perl5/PVE/Cluster/Setup.pm
sed -i 's|8006|443|g' /usr/share/perl5/PVE/APIServer/AnyEvent.pm
sed -i 's|8006|443|g' /usr/share/perl5/PVE/API2/LXC.pm
sed -i 's|8006|443|g' /usr/share/perl5/PVE/API2/Qemu.pm
sed -i 's|8006|443|g' /usr/share/perl5/PVE/APIClient/LWP.pm
sed -i 's|8006|443|g' /usr/share/perl5/PVE/CLI/pct.pm
sed -i 's|8006|443|g' /usr/share/perl5/PVE/CLI/qm.pm
sed -i 's|8006|443|g' /usr/share/perl5/PVE/Service/pveproxy.pm
echo 'net.ipv4.ip_unprivileged_port_start=0' > /etc/sysctl.d/50-unprivileged-ports.conf
reboot

Looks much easier and better maintainable than just using one iptables from above.

 

[reukiodo]

Hi,

echo 'net.ipv4.ip_unprivileged_port_start=0' > /etc/sysctl.d/50-unprivileged-ports.conf

This is not a safe setting ....

Good luck / Bafta !

It is actually safer to have these processes which listen to these ports NOT run as root than limit this ports only to applications run as root!

 

[reukiodo]

That doesn't look like a reliable solution. I would guess a upgrade could revert your changes and might even lock you out from the webUI.

Which is why I've put it into a script to run after any upgrades, so any upgrade that reverts the hard-coded port will be corrected after it is overwritten.
I am offering my solution to this 'problem' that others also see in changing the default port, for whatever their reasons are. It would be much better (reliable) solution to just make the port configurable so users can set it to the port they choose, and I respect that the developers would have their own ideas on why it is hardcoded.

 

[AllanM]

I would suggest leaving the proxmox configuration alone, and rather than trying to "fix" something that isn't a problem, simply create a proxy that does what you want it to do.

I use haproxy (on pfsense) to direct incoming host.domain requests to their appropriate servers and ports.

Don't try to reinvent the wheel.