I'm looking into hardening Proxmox VE. Unfortunately, there are no official baselines yet for Proxmox, so I'm using the information I can find online and in the Proxmox communities.
It was discussed in the past, did you already search the forums for it?
https://forum.proxmox.com/search/8806046/?q=hardening&o=date
Following threads I would consider quite helpful:
Hello dear community,
We are a small startup with two people and are currently setting up our infrastructure.
We will be active in the media industry and have a strong focus on open source, as well as the intention to support relevant projects later on as soon as cash flow comes in.
We have a few questions about the deployment of our Proxmox hypervisor, as we have experience with PVE, but not directly in production.
We would like to know if additional hardening of the PVE hypervisor is necessary. From the outset, we opted for an immutable infrastructure and place value on quality and...
Hi y’all,
I’ve released a Proxmox hardening guide (PVE 8 / PBS 3) that extends the CIS Debian 12 benchmark with Proxmox specific tasks.
Repo: https://github.com/HomeSecExplorer/Proxmox-Hardening-Guide
A few controls are
not yet validated and are marked accordingly.
If you have a lab and can verify the unchecked items (see the README ToDos), I’d appreciate your results and feedback.
Planned work: PVE 9 and PBS 4 once the CIS Debian 13 benchmark is available.
Feedback is very welcome!
Thanks!
There are more, especially whether it's a good idea to run antivirus or EDR on a ProxmoxVE/BackupServer/Mailgateway Node (short: answer, no you really don't want to do this):
Hi,
Is there an official statement from Proxmox regarding the installation of antivirus software on PVE?
Does this installation affect the license and support provided?
Thanks!
Having a thought in regards to running SentinelONE on the PVE host itself. Would definatley want to exclude the storage locations that have the VM/Container disks running from real-time scanning, but any other gotchas from running a EDR or AV in general on the PVE host to detect and stop malicious code?
I came across the following hardening guide:
https://github.com/HomeSecExplorer/Proxmox-Hardening-Guide/blob/main/docs/pve8-hardening-guide.md
One of the statements there is: "To satisfy several CIS Debian Benchmark controls (for example, partition layout), install
Debian 12 first and then add the Proxmox VE repository
instead of using the Proxmox ISO installer."
According to the following installation document:
https://pve.proxmox.com/wiki/Install_Proxmox_VE_on_Debian_13_Trixie
You have to install a Standard Debian first, then install Proxmox VE, and part of that installation is removing the Debian Kernel again. That doesn't make sense. Aren't these steps included when using the Proxmox ISO?
Yes but the Proxmox installer installs a certain partitioning scheme. It's NOT less secure than the default Debian install. For example both won't setup the disc for full-encryption. But the PVE installer has no option to encrypt the disc, while the Debian installer would allow this.
The question however is if that certain requirement is needed in your environment. For example in my homelab I don't care about encrypting the discs in my nodes (nothing important on it) and I also wouldn't care about encryption discs of a server in a datacenter ( it's not easy for burglars to break in).
If you happen to work for a military contractor or another sector who needs to fullfill strict data protection regulations the story might be different.
Does this mean that we can't use the Proxmox ISO to install the environment? What's the point in having ISOs provided by Proxmox, if you have to install Debian separately first and after that install Proxmox VE? What is the recommended way?
If you don't know why you need to install Debian first you shouldn't do it. So the recommended way is actually to start with the Proxmox installer except you have a good reason not to do it.
What's the actual reason you want to apply the hardening guide? Security is not a "one-time-procedure" but a process and you need to think which threats you deal with and what to do about them (threat-modeling). The need to satisfy some security-/compilance-theater-audit can also be a threat (from a business or legal point of view and if not at least to your sanity) but if you are aware about it's (pointless from a security point of view) nature you are better prepared to do something which will actually improve security. See also this discussion on running antivirus-snakeoil on PVE:
Having a thought in regards to running SentinelONE on the PVE host itself. Would definatley want to exclude the storage locations that have the VM/Container disks running from real-time scanning, but any other gotchas from running a EDR or AV in general on the PVE host to detect and stop malicious code?
I referenced these alternative guides for Linux hardening:
https://github.com/trimstray/the-practical-linux-hardening-guide
https://github.com/dev-sec/ansible-collection-hardening
Please note that the first guide by trimstray was only tested with CentOS but like the author wrote most of it applies to all Linux systems.
Please also note following note from it:
Do not treat this hardening guide as revealed knowledge. You should take a scientific approach when reading this document. If you have any doubts and disagree with me, please point out my mistakes. You should to discover cause and effect relationships by asking questions, carefully gathering and examining the evidence, and seeing if all the available information can be combined in to a logical answer.
This is also true for
@HomeSecExplorer guide, especially given the fact that parts of his guide covers acts not covered by Proxmox regular support:
Some procedures in this guide are community best-effort methods and not officially supported by Proxmox GmbH. Evaluate, test, and maintain these at your own risk; do not expect vendor support for issues arising from their use.
