Security Remote Sync, restrict users to LAN

C

carsten2

Renowned Member
Mar 25, 2017
277
29
68
55
To remote sync I have to open up the port 8007 on the internet which is the management GUI. This shows lot of information what is service running at this port, which is a security risk. Also it possible to restrict users like root@pam to only the local net? For the internal management form LAN, passwords often not that long (so that they can be typed by humans), which form the internet these passwords are too weak.

I would like to have a special remote sync user, with a very strong password, which can do nothing by remote syncs and can access the server over the internet. The others users, specially root@pam should not be able to connect from the internet, only from LAN.

Another solution which be to open up an SSH tunnel to the remote site forwarding local port 8008 (because 8007 is already used by the local PBS) to the remote server 8007, and then point the remote sync to localhost:8008. Unfortunately I didn't find the option the change the remote port.
 
carsten2 said:
To remote sync I have to open up the port 8007 on the internet which is the management GUI.
Click to expand...

No, you just have to open the 8007 for the specific IP.

carsten2 said:
I would like to have a special remote sync user,
Click to expand...

You can create user with limited permissions just via the GUI.

We will also implement 2FA, see https://pbs.proxmox.com/wiki/index.php/Roadmap

Changing just a port will never increase security (and is not possible/implemented on pbs).
 
The current design is not secure as it leaks information about the GUI. The remote syncing server also might have a dynamic IP the firewaling cannot be used to restrict access to one destination ip. Restriction to local users is also not possible. Local assords are often not as strong as internet passwords.

Please make it possible to define a different for the destination the remote sync from, so one can setup an ssh tunnel (is it not possible to setup a tunnel with 8007 because 8007 is already used by the PBS installed on the remote syncing server.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back