Server hardening: please audit my setup.

robok

New Member
May 9, 2023
12
0
1
Hello,

I always use Ubuntu Server, but at the moment I need a VM.

Below is my current setup for a secure Proxmox. What else should I add?

- Keep system up-to-date
-- Update and upgrade the system
-- Enable automatic security updates
- Secure SSH access & user account security
-- Secure SSH access
-- Change the default SSH port
-- Disable root login via SSH
-- Change root password
-- Replace the default user
-- Limit SSH access to specific users or groups
-- Force login with SSH key
- Firewall and networking
-- Configure a firewall
-- Disable IPv6
- Monitoring and intrusion detection
-- Monitor logs and system activity / Fail2Ban
-- Monitor the server for unauthorized changes / AIDE
- Regular security audits and testing
- Backup
 
Yes, this is Ubuntu-default, but why would you want to add additional users that then will be restricted in a sudo manner? This does not offer any benefits and will tremendously restrict the experience due to the not working auto-complete of arguments and options. It will get on your nerves tremendously if you're going to work a lot via SSH. If you don't, just disable local administration completely and do everything via a GUI user with appropriate permissions and via the pve domain (without having SSH login priviledges).

The bullet point firewall is VERY complex (or easy) depending in your security requirements, but in general I would NOT enable SSH to the world - not even on a changed port (this is not big security impact). Could you elaborate on what you're going to do here? This may be much more than all the points you already mentioned.

Why disable IPv6?

Who will do audits? Create a special pve user for that (pve is capable of that and has already an audit role).

Where do all you logs go? What about rollback-capabilities? What about time-to-recovery benchmarks for restore and ways to restore?
 
@LnxBil

Thanks for the reply!

#1 Are you recommending one root user without sudo, etc.? Yes?

#2 Why don't you enable SSH to the world? Is it okay if I connect to SSH with my SSH key? I'm using SSH instead of the web GUI for small tasks, etc.

#3 I always disable IPv6 because I don't use it.

#4 Audit - OK

#5 Can you explain? I don't have a copy of the Proxmox settings, only the virtual machine.
 
You can just use the reply button to create explicit replies - like in every good mail program available.

Are you recommending one root user without sudo, etc.? Yes?
PVE will always and only work as root, so why bother to add additional layers that are not feature-equivalent?


Why don't you enable SSH to the world? Is it okay if I connect to SSH with my SSH key? I'm using SSH instead of the web GUI for small tasks, etc.
Not having a port open is always better than having one open. I restricted SSH to fixed IP addresses and have VPN ready if you need external access.


Can you explain? I don't have a copy of the Proxmox settings, only the virtual machine.
This is a follow question to what exactly?
 
You can just use the reply button to create explicit replies - like in every good mail program available.
Sure, sorry!

PVE will always and only work as root, so why bother to add additional layers that are not feature-equivalent?
OK, understand!

Not having a port open is always better than having one open. I restricted SSH to fixed IP addresses and have VPN ready if you need external access.
This is a follow question to what exactly?
I want to tunnel my web GUI panel through SSH and Tailscale. On a host or VM, should I install Tailscale? And if it's on a VM like Ubuntu Server, how can I force SSH tunneling on the host?

PS: Should I tunnel the SSH connection through Tailscale for root on SSH?
 
I want to tunnel my web GUI panel through SSH and Tailscale. On a host or VM, should I install Tailscale? And if it's on a VM like Ubuntu Server, how can I force SSH tunneling on the host?

PS: Should I tunnel the SSH connection through Tailscale for root on SSH?
Ideally your VPN tunnel exists on your firewall. Tailscale punches a hole in your firewall in order to work, so, I would recommend wireguard or openvpn with manual configuration. Your firewall should be a bare metal appliance at the very edge of your network with a *default deny* policy.
 
@LnxBil, can you respond to me?
Wow ...I'm fast but not that fast ;)

I want to tunnel my web GUI panel through SSH and Tailscale. On a host or VM, should I install Tailscale? And if it's on a VM like Ubuntu Server, how can I force SSH tunneling on the host?

PS: Should I tunnel the SSH connection through Tailscale for root on SSH?
Yes, VPN everything. Always.

If you open web apps through the world, use at least another layer of security like something oauth2-based (with 2FA) or just go with SSL client certificates. A little bit more complicated to set up, but worth the hassle.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!