Tips/ideas for securing Proxmox VE?

[Giovanni]

As you may be aware when you leave a computer connected to the internet there is always a risk that a hacker might want to break into your system. So I wanted to ask for ideas or tips that I can implement to make my environment more secure (Proxmox VE).

I am running a vanilla Proxmox install with a KVM image running Windows and an OpenVZ ubuntu image. It works perfect and I am grateful of the works the developers have made to get this to us, and for free.

One thing that I noticed after I was done installing PVE is that HTTP is running on port 80, and that is the administrative interface for proxmox, it seems like it has a login form and I believe you can bruteforce you way in if you know how.

Now I have been thinking of changing the HTTP port on PVE to something unusual, but with a port scanner is pretty much worthless. How about shutting down HTTP completely when not in use?

Or better yet, is there a better way to prevent bruteforce, like set a login limit?

Another question that might come up is, if we shutdown the HTTP will it be still be possible to VNC into the VEs?

 

[dietmar]

Now I have been thinking of changing the HTTP port on PVE to something unusual, but with a port scanner is pretty much worthless. How about shutting down HTTP completely when not in use?

This is our administration interface - we cant shut it down ?

Why don't you simply close the port on your firewall? Or restrict valid IP addresses in apache config.

 

[tom]

Just to make clear. Proxmox VE is managed via web interface but this does not mean you should access it via internet without taking the basic security arrangements (like Firewall)

 

[diaolin]

of course...

Just to make clear. Proxmox VE is managed via web interface but this does not mean you should access it via internet without taking the basic security arrangements (like Firewall)

i'm managing to send to Dietmar my proposal about shorewall interfaced directly with PVE interface but if you want i can send to you a simple example for writing a simple and efficient firewall on the PVE itself.

Diaolin

 

[ellenverheyen]

Can you please send me such example too?

Kindly regards,

Ellen Verheyen
EK Projects bvba

 

[fortechitsolutions]

Briefly to mention,

I was able to setup a basic iptables based firewall on a ProxVE server I setup late last year - and it wasn't too complex at all.

Additionally, it is important to mention a detail I suspect is sometimes overlooked: ProxVE is intended, to some extent, to have 2 NICs in a production deployment; one interface for management subnet access only; the other interface for "public internet traffic access"

Thus, your management interface (where http prox management happens) - is exposed only to a trusted lan, presumably behind a well secured firewall at the periphery. Your public interface is the one used to bind bridges and virtual interfaces for your virtual machines, so that they have 'easy and normal internet access' -- but you don't let them see the management interface on the ProxVE host either (even though this is possible, clearly) - since that is just another point of exposure for the management subnet that is really not necessary, and not desirable ultimately.

So .. just a detail ... that in this sort of config, a proxVE deployment can have the management web interface inherently not exposed to the internet, simply because of the physical interface being inside a private-secure-trusted LAN segment..



Tim