Proxmox Datacenter Manager 1.0 (stable)

Sorry, I am a total noob when it comes to REST API. Does that mean that:
A: Is the connection always and mandatory secured with HTTPS, just like with PBS?
B: you recommend a VPN instead exposing the host, since it is best practice?
C: Does the REST API have a "brute force protection" by using a SHA256 key, instead of username + password?

Because then I found the easiest way for me to (just like with PBS) simply create a Firewall rule that looks like this, instead of using a VPN:
Allow all incoming TCP on all ports, from STATIC_IPV6_REMOTE to STATIC_IPV6_LOCAL.
 
Last edited:
IsThisThingOn said:
A: Is the connection always and mandatory secured with HTTPS, just like with PBS?
Click to expand...
Yes, all remotes are only connected to via HTTPS.

IsThisThingOn said:
B: you recommend a VPN instead exposing the host, since it is best practice?
Click to expand...
This depends on your setup. If everything is local in your network, a VPN may not be necessary. If you split your infrastructure across several networks, and it is not possible for PDM to connect to all remotes, then yes using a VPN or similar to allow direct connections from PDM to its remotes is recommended.

IsThisThingOn said:
C: Does the REST API have a "brute force protection" by using a SHA256 key, instead of username + password?
Click to expand...
There are numerous protections in-place. However, you should not rely on any single measure, but rather try to pursue a “defense in-depth” approach. I am not sure what exactly SHA256 is supposed to protect in this scenario. However, in terms of brute force protection when it comes to authentication I am aware of the following measures:

- When authentication fails, the API adds an intentional 3s delay to all requests. This should prohibit fast retries.
- Passwords are stored and verified with yescrypt. Yescrypt uses a work and space factor as well as salts. This should limit various attacks on passwords, such as rainbow tables. It is also hard for an attacker to get access to the actual password from the generated hash. The work and space factors also make it harder to compute hashes fast, preventing brute force attacks to some degree.
 
  • Like
Reactions: IsThisThingOn
You must log in or register to reply here.
Top Bottom