Securing SSH - Turning Off? Effects?

J

JakeBikeIT

Member
Jul 25, 2023
55
2
8
Hi Guys,

I need to add a little more security to a backup system running contained in Proxmox.

The GUI off the systems are secured with OTP MFA. Great.

However one assumed you can still SSH into these boxes with un-pw combinations - is it safe just to turn off the SSH daemon?
 
The Proxmox VE Node doesn't care if ssh is active on your VMs or not.

May it be an option to use key-based authentication only and don't allow logins using passwords?
 
Last edited:
If you don't want to turn it off completely, you could also think about securing SSH with 2FA
 
Are you concerned of the VM's SSH being open, or of the host PVE's SSH being open? I believe both can be blocked.
 
SSH on the host - turn that off so no one can control, damage, destroy the host config without the OTP ... Sorry I wasn't clear!
 
mgabriel said:
ssh on the host must not be disabled. Protect it by using ssh keys for logins and prohibit logins with passwords
Click to expand...
Has something changed in this regard? I remember this was not an option and a password login was required, if I remember correctly by the cluster middleware, even when running in a single host setup?
 
wrobelda said:
Has something changed in this regard? I remember this was not an option and a password login was required, if I remember correctly by the cluster middleware, even when running in a single host setup?
Click to expand...
I don't know about that but I am running a single node with key-only ssh logins and it is fine. I'm pretty sure the cluster SW uses keys as well, not passwords.
 
Azunai333 said:
Yes, but the GUI cluster join asks for a root password. Maybe it is needed only at cluster join?
Click to expand...
AFAIK, this is still the case.

mgabriel said:
ssh on the host must not be disabled. Protect it by using ssh keys for logins and prohibit logins with passwords and/or use the built-in firewall to protect your host.
Click to expand...
This!

I can also recommend to not use root as your daily driver and have PVE internal, OpenID or LDAP/AD users that normally don't have a backing PAM account, so they cannot login via SSH.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back