Proxmox on remote public server: security best practices?

[mdbraber]

I'm managing a remote dedicated server on which I've installed Proxmox as the hypervisor. I'm looking for the security best practices to secure the hypervisor (Proxmox) while giving public access to some individual VMs. I'm using pfSense als the internal firewall/router. Proxmox webinterface has 2FA enabled. I'm considering various options:

1) No network access for the hypervisor. Passthrough the single networking card and public IP to the pfSense VM. When pfSense would become unreachable this would require KVM access (which is possible, but has to be manually requested, so not ideal). Example config: https://github.com/pekare/hetzner-proxmox-pfsense

2) Hypervisor has a public IP and can only be reached by SSH. Using port forwarding I can access the Proxmox webinterface. Hypervisor would use the built-in Proxmox firewall and use fail2ban. Setup somewhat similar to: https://dominicpratt.de/hetzner-and-proxmox-pfsense-as-gateway/

3) Other options I'm missing?

Thanks for your answers!

 

[oguz]

hi,

i think 2 is the better option here, considering it will be pretty inconvenient if you lose access to pfsense.

keep in mind that if you will be clustering, you will have to allow port 8006 for API access and 22 for SSH access from other nodes.

fail2ban is a good idea. check here[0] for setting up fail2ban for the PVE web interface.

keep your PVE version up to date to avoid possible security issues.

i have no instructions for this, but i know some people use wireguard on their PVE host for secure access as well. (that way you only have a wireguard port open to public)

[0]: https://pve.proxmox.com/wiki/Fail2ban