Proxmox | VMs | Virus protection

F

flob

Member
Mar 28, 2018
6
0
21
40
Hello everyone,

I am a bit new when it comes to Proxmox and hosting VMs/Containers at home, but recently I successfully installed Proxmox on my old computer and now have 1 container (with pihole) and 1 VM with Windows server 2012 R2 running.

I don't do anything with both yet, but I was thinking if I need some kind of protection (like anti-virus software) for both as they are connected to the internet with bridged network mode. Maybe I am overthinking things, but as I said before, I am unexperienced with this self-home hosting. Could anyone let me know if I indeed need to do something to protect them?

Thanks in advance.
 
Anti-Virus is always suggested for Windows-based OS, for Linux on the other hand, most anti-virus scanners scan only for the millions of windows virus and do not focus on Linux viruses.

Best is always to have a good security concept which must also include a minimal attack surface, so you should only run the services you really need and/or firewall it directly from the PVE GUI. I'd also build a virtual DMZ, so that your containers/VMs cannot do any harm if they got infected.
 
LnxBil said:
Best is always to have a good security concept which must also include a minimal attack surface, so you should only run the services you really need and/or firewall it directly from the PVE GUI. I'd also build a virtual DMZ, so that your containers/VMs cannot do any harm if they got infected.
Click to expand...
What he said. Create a management network for the Proxmox hosts to live on, that you use to access them. Then create a virtual bridge that is used by your VMs that isn't addressable in Proxmox, so the VMs have access to their own network (maybe one that's not routable to the management network), but the Proxmox machines don't listen there at all, so there's no attack surface.

So if you use 10.1.1.0/24 as your management network, you can use 10.2.2.0/24 for the DMZ that the VMs live on. Create the second vm bridge within Proxmox and have it set Active, Autostart, but with no ip address attached to it. Then use a separate network card/switch/VLAN to route traffic in a way that makes your Proxmox IP address inaccessible to the VMs.

You will still need to worry about flaws in the platform (KVM/Intel) that would allow an attacker to take over a VM and use that to attack the host itself, but the odds of someone doing this seem fairly low to me. Anything is possible though, so it makes sense to have a recovery plan and to be suspicious when unexpected things start to happen.
 
Sounds interesting and challenging. I will need to have a look to see if I am capable of transfering your advice in to reality.

Thank you very much. I got some research to do.
 
flob said:
Sounds interesting and challenging. I will need to have a look to see if I am capable of transfering your advice in to reality.
Click to expand...
It's actually pretty simple. Think of it this way:
  • You've got a proxmox machine. You can have a cluster, but conceptually it's the same.
  • On this machine you have two network ports.
  • One port is for communication with proxmox. This is a "safe" network, protected from the outside.
  • The other port is for virtual machines. You host these, but you don't trust them, because they're exposed to the outside and they can become compromised.
That's it. Conceptually think of a firewall with 3 ports - one LAN (the management/proxmox network), WAN (the wild, wild, Internet), and your DMZ (your VMs). The DMZ only has access to Internet services you explicitly allow, LAN traffic is allowed to the DMZ but can't be initiated in the other direction, and you've got the firewall to manage your rules. The only hitch is that it's virtualized, so you need to tell Proxmox to manage that DMZ port but not listen on it. So:

First, go here when you're looking at a PVE host in the web interface:

upload_2018-4-1_10-11-0.png

Once there, create a new Linux Bridge. Here's how mine is set up (you'll need to use the correct device for your computer):

upload_2018-4-1_10-11-55.png
Now, when you create VMs, make sure this second bridge is given to them as their virtual network interface rather than the one that was created when you installed the system. Plug the associated network card into the switch/port you're using for your DMZ and you're golden.

(If you prefer you can do this with VLANs instead, but that's a bit more complicated and I prefer simple.)
 
Thank you for your assistance, but I am not sure if I am capable of doing this with my old computer. I only have one physical network port (I am using my old computer for Proxmox).

This is how currently my network in Proxmox looks like:

upload_2018-4-3_12-7-26.png

I can't create another one with enp5s0 as it already is in use (which is obvious :D).

I think for your solution I need 2 physical network ports, right?
 
I believe you can do this with a VLAN if your networking equipment also supports VLANs. Someone else should talk you through it though; I understand it but have never worked with it.

You don't need to have segregated networks, but it really is a good idea...
 
Hi,

Many protection layers are ok (vlan, dmz, and others). But you will also need some tools that will chech if all your protections layers are as you setup before. As simple example I setup a very good firewall, so I can go to sleep? No, I must have to chech if all my firewall roules that NOW are running are the same with what I espect to be. So I nedd a tool who will chech what roules are active now. And more, if my system check tool identify that this roules are not as I wish to be, my tool will be able to remove all this roules and will be replaced with what must be running. And even more ... if my tool will need to do any roules replace, then I need a mail warning and after 3 consecutive events, I want to shutdown this server.
Security tools without any checks is nothing if you ask me.

Another tool to use is a proxy server who can be setup to enforce some basic ACLs, like no file transfer like .exe, .com, .msi, .bat, .jar, .bat, files. I was able to run 50 PCs without any antivirus us8ng a such proxy/squid for at least 3 years without any virus infections - lucky me ;)
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back