Securing PVE Web Interface

moose

Member
Nov 19, 2017
19
13
23
Bavarian Alps
Hi folks,

just a questions about securing the PVE Web Interface.

As far as I know two methodes are recommended by Proxmox itself:

- 2FA
- Fail2ban

I myself would like to extend this two options a little bit by
  • accessing port 8006 just over a tunneled ssh connection and
  • to make it unavailable on PVE's offical ip address.
But, netstat -tulpn tells me

tcp 0 0 0.0.0.0:8006 0.0.0.0:* LISTEN 1060/pveproxy

i.e.
pveproxy it listening on port 8006 on every ip address of each interface. So my question is how to bind pveproxy to
  • ip address 127.0.0.1 or
  • the lo interface only?
Well, I looked up in pveproxy's man page where a simple apache2 like acl is listed:

ALLOW_FROM="10.0.0.1-10.0.0.5,192.168.0.0/22"
DENY_FROM="all"
POLICY="allow"

I think reducing the ALLOW_FROM statement to 127.0.0.1 should fulfill my needs. Do you agree? Or do you think there is a better way to reach my goal, i.e. unbinding port 8006 from all other interface except the lo one?

BTW: Which methods are you using to secure your PVE Web Interface on servers placed in the internet? What are your experiences with it? Do you have other suggestions I didn't mention above?

Thanks in advance and greetinx

moose
 
Hi,

BTW: Which methods are you using to secure your PVE Web Interface on servers placed in the internet? What are your experiences with it? Do you have other suggestions I didn't mention above?

In most cases I use a Mikrotik router, in front of PMX. And I create rules like:
a. if a new connection is mayde by IP with DDNS hostname gigi.dyndns.org with IPsec/L2TP(vpn) => then accept
b. any traffic using the vpn can go to any PMX node(including web-interface)
c. block any traffic from Internet cu PMX clusters

Also, a nice black-list with around 30-32 000 IPs(bad boys) is very useful for me at least(with daily updates).

And when I need to access the PMX hosts, I run first my DDNS client, and the IPsec/L2TP client. After that I can connect to any PMX nodes!

Good luck!
 
Thanks a lot for your reply, guletz!

Because I don't have a Mikrotik router I did it the way I menioned above, with https over ssh (tunnel) and allowing pveproxy listening on lo only. This works fine so far.

There is only one issue: offical (custom) SSL certificates installed on PVE will mismatch, because in the browser the local host ip address (used by the tunnel) doesn't match PVE's fwdn.But, there is a solution for this behavior:

1. Linux

add

127.0.0.1 servername.domain.tld servername # PVE

to file /etc/hosts.


2. Windows

add

127.0.0.1 servername.domain.tld # PVE

to file C:\Windows\System32\drivers\etc\hosts.


Now you can use the fqdn of your PVE WebUI in your Browser without getting an certificate issue, i.e.

https://servername.domain.tld:8006

although your are using an ssh tunnel to access pveproxy on your PVE server. Without the workaround you'd have to type https://127.0.0.1:8006 .

Greetinx

moose
 
Last edited:

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!