proxmox hacked

[Maher Khalil]

I have proxmox with several of VM machines based on KVM sold to customers
i noticed that tcp connection using my proxmox server is trying to connect to one of my other servers and off course it is getting blocked by fail2ban
my question:
how clients of VM can access the proxmox host
is that means proxmox is not safe?

 

[ness1602]

That usually means your proxmox is not safe.

 

[Maher Khalil]

It is normal installation. I think proxmox should isolate cm from server, right?
Should I do something else?

 

[ness1602]

Proxmox has a great firewall,limit access to web-gui to only known IPs

 

[Maher Khalil]

It is normal installation. I think proxmox should isolate cm from server, right?
Should I do something else

 

[Maher Khalil]

What I want to understand how user of kvm machine access server? Proxmox should ensure that it couldn't happen, right?

 

[leesteken]

Are your VMs/containers on a separate bridge or does your Proxmox host also have an IP address on the same bridge? Are those bridges on separate network controllers or VLANs?
Once in a while there are reports about VMs that can compromise the host by using security bugs in QEMU or the KVM drivers.

 

[Maher Khalil]

I already stopped and remove containers since long time to avoid security issues,
Proxmox host dies not have IP in bridges, I have 2 subsets each one in separate bridge.
If vm can access host, that means it is not for production?

 

[Maher Khalil]

If someone can access the host means he can play with firewall

 

[leesteken]

I already stopped and remove containers since long time to avoid security issues,
Proxmox host dies not have IP in bridges, I have 2 subsets each one in separate bridge.
If vm can access host, that means it is not for production?

Please explain what you mean with subsets. Unless the networks a physically separated (or VLANs) connected only via a properly configured firewall, the VMs can (try to) connect to Proxmox host(s) via the network.

 

[Maher Khalil]

Subnets of IPS on bridge for vm

 

[leesteken]

Subjects of IPS on bridge for vm

How is the host isolared from the bridge for the VMs?

 

[Maher Khalil]

How to achieve that

 

[Maher Khalil]

While creating vm, I select the bridge and add network card and expect proxmox to do the isolation

 

[leesteken]

While creating vm, I select the bridge and add network card and expect proxmox to do the isolation

The VM (CPU, memory, disk) are isolated but if your networks are connected, they can still attack the host via the network. A virtual machine connected to a network is in that respect no different from a physical machine connected to that network. Use proper network isolation just as you would with physical machines.

 

[Maher Khalil]

How to achieve proper network isolation?
Can I put clan tag for running cm?
Is clan tag enough?

 

[voarsh]

Networking like this is a big beyond me too, I recommend Two Factor Auth if you can't isolate them on a different subnet/network that can't talk with your PVE host....
And if they're escaping the VM/QUEM, there's other problems...

 

[Maher Khalil]

so what's is the suggestion to isolate then from host?

 

[voarsh]

so what's is the suggestion to isolate then from host?

I do not know much about bridges, but either do TFA on PVE host for better password security, or get a new network switch firewall capabilities to block traffic from all ips, except XYZ, get the vm's on a different network switch, , or tweak around with Proxmox bridges and firewall.