Securing PVE Web Interface

moose

Member
Nov 19, 2017
19
13
23
Bavarian Alps
Hi folks,

just a questions about securing the PVE Web Interface.

As far as I know two methodes are recommended by Proxmox itself:

- 2FA
- Fail2ban

I myself would like to extend this two options a little bit by
  • accessing port 8006 just over a tunneled ssh connection and
  • to make it unavailable on PVE's offical ip address.
But, netstat -tulpn tells me

tcp 0 0 0.0.0.0:8006 0.0.0.0:* LISTEN 1060/pveproxy

i.e.
pveproxy it listening on port 8006 on every ip address of each interface. So my question is how to bind pveproxy to
  • ip address 127.0.0.1 or
  • the lo interface only?
Well, I looked up in pveproxy's man page where a simple apache2 like acl is listed:

ALLOW_FROM="10.0.0.1-10.0.0.5,192.168.0.0/22"
DENY_FROM="all"
POLICY="allow"

I think reducing the ALLOW_FROM statement to 127.0.0.1 should fulfill my needs. Do you agree? Or do you think there is a better way to reach my goal, i.e. unbinding port 8006 from all other interface except the lo one?

BTW: Which methods are you using to secure your PVE Web Interface on servers placed in the internet? What are your experiences with it? Do you have other suggestions I didn't mention above?

Thanks in advance and greetinx

moose
 
Hi,

BTW: Which methods are you using to secure your PVE Web Interface on servers placed in the internet? What are your experiences with it? Do you have other suggestions I didn't mention above?

In most cases I use a Mikrotik router, in front of PMX. And I create rules like:
a. if a new connection is mayde by IP with DDNS hostname gigi.dyndns.org with IPsec/L2TP(vpn) => then accept
b. any traffic using the vpn can go to any PMX node(including web-interface)
c. block any traffic from Internet cu PMX clusters

Also, a nice black-list with around 30-32 000 IPs(bad boys) is very useful for me at least(with daily updates).

And when I need to access the PMX hosts, I run first my DDNS client, and the IPsec/L2TP client. After that I can connect to any PMX nodes!

Good luck!
 
Thanks a lot for your reply, guletz!

Because I don't have a Mikrotik router I did it the way I menioned above, with https over ssh (tunnel) and allowing pveproxy listening on lo only. This works fine so far.

There is only one issue: offical (custom) SSL certificates installed on PVE will mismatch, because in the browser the local host ip address (used by the tunnel) doesn't match PVE's fwdn.But, there is a solution for this behavior:

1. Linux

add

127.0.0.1 servername.domain.tld servername # PVE

to file /etc/hosts.


2. Windows

add

127.0.0.1 servername.domain.tld # PVE

to file C:\Windows\System32\drivers\etc\hosts.


Now you can use the fqdn of your PVE WebUI in your Browser without getting an certificate issue, i.e.

https://servername.domain.tld:8006

although your are using an ssh tunnel to access pveproxy on your PVE server. Without the workaround you'd have to type https://127.0.0.1:8006 .

Greetinx

moose
 
Last edited: