secure Proxmox main server

S

starnetwork

Renowned Member
Dec 8, 2009
429
10
83
Hi, there is practical suggestion for this server security ?
if am install firewall, which ports need to remain remain open ?

BTW, APF (Advanced Policy Firewall) work with Proxmox ?

Best Regards,
Star Network.
 
Use a hardware firewall (extra box), most secure by design.
 
i don't have this option
for example, i have servers Around the World
and i can't ask from the data center to buy and install hardware firewalls

also, it good solution but not always Economically worthwhile

iptables / APF its not so bad solution...

any suggestions / port list ?
 
Thanks!
BTW, APF it good solution for proxmox ?
and about the web interface, there is a idea for better security for login method ? (htaccess ?)

Best Regards,
Star Network.
 
any updates about secure the web interface, there is a idea for better security for login method ? (htaccess ?)
 
i just ask if there is an option to secure the web interface of proxmox via .htaccess password

Best Regards,
Star Network.
 
apache.org has all the info you need. I copied and pasted some of the notes we saved from apache.org below. Debian specific information on setting up password is avail i many places. use google.

Using dedicated hardware - we use pfsense and old pentium-3 type computers - work great. so there is NO hardware cost involved as the hardware for requirements for pfsense is a computer which someone has in a cellar or closet or available at a recycle center.



Quoted from http://www.apache.org:
In general, you should never use .htaccess files unless you don't have access
to the main server configuration file. There is, for example, a prevailing
misconception that user authentication should always be
done in .htaccess files. This is simply not the case.
You can put user authentication configurations in the
main server configuration, and this is, in fact, the preferred way to do things.
Click to expand...
(Found at: http://httpd.apache.org/docs/2.0/howto/htaccess.html)

http://httpd.apache.org/docs/2.0/howto/auth.html

http://linuxhelp.blogspot.com/2006/02/password-protect-your-website-hosted.html
http://httpd.apache.org/docs/2.0/howto/htaccess.html
 
never tried but why not.
 
Hi, i just check pve.conf in /etc/apache2/sites-available
and
AuthType used for PVE::AuthCookieHandler
AuthName used for PVE
i want to add basic authorization (like sample htaccess authorization)
AuthName "Member's Area"
AuthType Basic
AuthUserFile .htpasswd
require valid-user
to be added to proxmox Login, it possible ?

Best Regards,
Star Network.
 
I'd like to suggest a minor yet important improvement related to the security of the manager : could you please report the remote ip of the user login into the manager when you call the PAM?

This will enable the popular tool fail2ban to work out of the box with Proxmox. fail2ban monitors the failed login attempts in /var/log/auth.log and ban the remote ip if repeated failures are detected. Unfortunately failed attempts from the Proxmox manager do not mention the remote ip, so fail2ban can't block a brute force attack on the manager login.
 
Thanks!
i just use BFD for it, and bfd work with ssh, ftp, and fail basic auth from htaccess / httpd.conf
that one of the reasons that i want to add basic authorize to httpd.conf
 
On the other hand, the Proxmox manager isn't necessary everyday, so I just shut down Apache when I don't have to configure a container.
 
You must log in or register to reply here.
Top Bottom