Securing proxmox cluster on public ip addresses
- Thread starter jinjer
- Start date
Hi,
I would say strong passwords - like described here: http://xkcd.com/936/
ssh perhaps via key only and fail2ban to avoid brute force.
And of course update all security fixes in short times...
Udo
BTW. an firewall don't protect against an weak password - the question is, what protect an firewall on an halfway secure system, where ports must be open for the outside?! I would say - not much (or less).
Last edited:
There's a lot of ports running on proxmox, by default
- The cman
- ntpd
- gluster (in my case, and that cannot be protected easily)
- the proxy on port 8006
I mean... there is a handful for any hacker to play with.
On my current installation, I keep the cluster nodes on a private network behind a firewall. However, that is not optimal for customers that need to login in a VPN before being allowed access.
Also, all VM and CT are on their own private network. They're behind a firewall too, but as you guess this model is quickly getting expensive and difficult to manage.
I would like to secure the proxmox node properly on a public network and perhaps run the cluster on a dedicated vlan on private addresses.
Then I'd keep the VM and CT with public addresses directly connected to the internet.
What I'm looking for in reality seems to be a separation between the nodes and their management and the CT/VM network (like openstack and similar projects).
Is this possible ?
- The cman
- ntpd
- gluster (in my case, and that cannot be protected easily)
- the proxy on port 8006
I mean... there is a handful for any hacker to play with.
On my current installation, I keep the cluster nodes on a private network behind a firewall. However, that is not optimal for customers that need to login in a VPN before being allowed access.
Also, all VM and CT are on their own private network. They're behind a firewall too, but as you guess this model is quickly getting expensive and difficult to manage.
I would like to secure the proxmox node properly on a public network and perhaps run the cluster on a dedicated vlan on private addresses.
Then I'd keep the VM and CT with public addresses directly connected to the internet.
What I'm looking for in reality seems to be a separation between the nodes and their management and the CT/VM network (like openstack and similar projects).
Is this possible ?
you need a private network just for cluster communication or else you are more than likely going to have an unstable cluster. Unicast/multicast is very sensitive and really need dedicated nics. You can of course have other interfaces public, but none of the actual clustering communication should be happening through public facing networks.
Simply configure iptables on cluster nodes. Allow only ip address and ports that you need for your customers and everything else drop. Of course, you will allow full communications between cluster nodes. Outside world will see only allowed services.
I got proxmox box on public ip for years and only working thing from outside is ssh on non-standart port allowed only from specific ip. Everything else like mail services are redirected inside the virtuals.
This is a very good setup. On top of it, the hosting provider must have a good DDOS protection, otherwise, despite the firewall mitigation rules, a flood could block the public network, the cluster nodes fail to communicate and trigger false positive reboots.