You just got your hand on a dedicated server and installed Proxmox 7 hypervisor on it.
If you are a security freak like me and want to be sure your systems are safe and sound in this far west that is internet, you came on the right article.
I will only detail steps here to secure a single cluster with a single node and with a single root user, I won’t go around detailing how to secure the systems from within with your users and vm’s.
Enable TOTP
The first step would be to add a 2FA. On the left panel (Server View), simply click on the Datacenter, then under the permissions tab, go into Two Factor, and click TOTP.
There are others ways of providing a double authentifying factor, but that’s up to you to explore.
One important note, your TOTP won’t protect you from an attacker using the same credentials and to connect with SSH. It only protects the web application.
Install fail2ban on your node
You might think that changing the SSH port of the node might be interesting too but according to proxmox documentation, it is needed for the cluster, and it is not recommended.
It is however recommended to install fail2ban. To give an idea, just leave your server running a couple days and look at the logs in the node, you will see multiple failed login attempts, I can guarantee you that.
Matter of fact put a simple dictionary password as a password and I garantee you will get hacked by a bot in less than 24h.
Let’s jump into fail2ban installation, we will proceed to run fail2ban not only on the ssh service but as well on the web interface:
apt-get install fail2ban
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
vim /etc/fail2ban/jail.localThis is the basic config, now edit it and go down until your reach ssh configs, it should look like this:
[… snip …]
port = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s
enabled = true
[… snip …]
I just added the last line. Now at the end of the file, add this config:
[… snip …]
#
# PROXMOX
#
[proxmox]
enabled = true
port = https,http,8006
filter = proxmox
logpath = /var/log/daemon.log
maxretry = 3
bantime = 3600
Now let’s explain to fail2ban what’s the deal with the proxmox interface:
vim /etc/fail2ban/filter.d/proxmox.conf
Add this config in that file:
[Definition]
failregex = pvedaemon\[.*authentication failure; rhost=<HOST> user=.* msg=.*
ignoreregex =This will basically explain to fail2ban how to spot failed logins.
Restart the fail2ban service to make the changes effective and you can verify the status of service as well:
systemctl restart fail2ban
systemctl status fail2ban
fail2ban-client status sshd
fail2ban-client status proxmoxWhitelisting your IP address
You should consider whitelisting your IP inside the proxmox node. First, contact your internet access provider to get a static ip address, then simple edit the node’s IP Tables.
The easier way to do this, cluster wide, is simply to go into your cluster, go to the firewall section, select IPset submenu, then create. Put ACCEPT mode for the addresses or CIDR you want to whitelist, and add a DROP/REJECT rule without other settings, it will directly drop the other IP’s.
Understand that it’s very important to put the ACCEPT rule first, since the rules are processed top to bottom, if you put the DROP/REJECT rule over, your packets will be rejected!
Add a networking rule your dedicated server provider
For instance, if you use an instance with OVH cloud, you could simply add rule to permit only your IP or a set of IP addresses to connect to any of the ports of your hypervisor.
That should already be enough to kick out 99% of the botnets on the network. However one thing to know is that packets are not blocked from servers inside that same OVH cloud network...
Now if you want to host something on this network that’s another story, and you might think of adding granular rules to the service in question. Same applies if your server rack is in your office or at home.
Conclusion
We saw multiple ways of securing your proxmox instance after installation, there are also other tactics that can be implemented and these shown are only the basics!
Here are some ways you can harden the security of your instance; generate a better SSL certificate then the one that’s self signed by Proxmox, stop using SSH passwords and use a private key to connect instead, add a firewall in front of your proxmox instance, use an pfSense or any other router OS as a VM and use OpenVPN to connect to your instances, setting up a cloudflare proxy and set the reverse proxy to your proxmox interface or use a CloudFlare tunnel with cloudflare access to add another layer of authentication, and so much more!
Have a look at this article [hetzner-proxmox-pfsense], you could as well have a hypervisor behind the same firewall as the VM’s with a PCI passthrough.
I would also recommend adding a HoneyPot, for auditing purposes, I personally think it’s important to know who tries to get into your server and for what reason, and also to quantify the risk and threat to your systems.
As always, thanks for reading!