Proxmox on remote public server: security best practices?

mdbraber

Member
Oct 16, 2018
23
4
8
41
I'm managing a remote dedicated server on which I've installed Proxmox as the hypervisor. I'm looking for the security best practices to secure the hypervisor (Proxmox) while giving public access to some individual VMs. I'm using pfSense als the internal firewall/router. Proxmox webinterface has 2FA enabled. I'm considering various options:

1) No network access for the hypervisor. Passthrough the single networking card and public IP to the pfSense VM. When pfSense would become unreachable this would require KVM access (which is possible, but has to be manually requested, so not ideal). Example config: https://github.com/pekare/hetzner-proxmox-pfsense

2) Hypervisor has a public IP and can only be reached by SSH. Using port forwarding I can access the Proxmox webinterface. Hypervisor would use the built-in Proxmox firewall and use fail2ban. Setup somewhat similar to: https://dominicpratt.de/hetzner-and-proxmox-pfsense-as-gateway/

3) Other options I'm missing?

Thanks for your answers!
 
  • Like
Reactions: lixaotec
hi,

i think 2 is the better option here, considering it will be pretty inconvenient if you lose access to pfsense.

keep in mind that if you will be clustering, you will have to allow port 8006 for API access and 22 for SSH access from other nodes.

fail2ban is a good idea. check here[0] for setting up fail2ban for the PVE web interface.

keep your PVE version up to date to avoid possible security issues.

i have no instructions for this, but i know some people use wireguard on their PVE host for secure access as well. (that way you only have a wireguard port open to public)

[0]: https://pve.proxmox.com/wiki/Fail2ban
 
  • Like
Reactions: lixaotec

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!