3.8 KiB
| title | date | url | layout | category | image | description |
|---|---|---|---|---|---|---|
| Hardening Proxmox, some in one place | 2019-01-11 | hardening-proxmox-some-in-one-place | post | Security | /img/blog/hardening-proxmox-some-in-one-place.png | A (potentially wrong) write-up about Proxmox standalone instance optimizations |
Introduction
Proxmox is nothing more than a Debian distribution with some additional packages on top of it (including a custom kernel though).
This allows us to apply some basic GNU/Linux hardening to the system, thus acting as an hyper-visor.
During this guide, we'll go through reverse proxy hardening, RPC / NFS deactivation and IPv6 "soft-disabling".
⚠️ These blog post procedures DON'T REPLACE PROPER FIREWALL RULES AT ALL. ⚠️
The procedure
PVEProxy hardening
The PVEProxy is the component responsible for the Proxmox WEB interface communication.
It's nothing more that a specific reverse proxy.
Thus, we can apply regular cryptographic hardening (/etc/default/pveproxy) :
{% highlight config %} CIPHERS="ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256"
For PVE-Manager >= 5.3 only.
COMPRESSION="0" HONOR_CIPHER_ORDER="1" {% endhighlight %}
We can also apply some access control rules (/etc/default/pveproxy too) :
{% highlight config %} DENY_FROM="all" ALLOW_FROM="YOUR.PRIVATE.IP.RANGE/24,YOUR.HOME.IP.ADDRESS" POLICY="allow"
For PVE-Manager >= 6.4 only.
LISTEN_IP="ADMIN.SERVER.IP.ADDRESS" {% endhighlight %}
Disabling RPC / NFS services
If your hyper-visor won't need running NFS service, it's safe to disable it.
From /etc/default/nfs-common, set :
{% highlight config %} NEED_STATD=no {% endhighlight %}
You can also disable RPC services :
{% highlight bash %} systemctl disable --now rpcbind.service rpcbind.socket {% endhighlight %}
You only have to reboot now, and you will be able to verify the sockets that are listening with ss -atlnup 😉
IPv6 sockets
You don't have any IPv6 address, or don't have a specific need to listen to anything against this protocol ? You can safely disable those sockets.
By default, Postfix is listening to any protocols, let's disable it (/etc/postfix/main.cf) :
{% highlight config %} inet_protocols = ipv4 {% endhighlight %}
... and then restart the service :
{% highlight bash %} systemctl restart postfix.service {% endhighlight %}
Another IPv6 socket is opened by OpenSSH-Server. Let's do the same operation (/etc/ssh/sshd_config) :
{% highlight config %} AddressFamily inet {% endhighlight %}
{% highlight bash %} systemctl restart ssh.service {% endhighlight %}
PVEProxy TLS certificate
If you consider administrating your Proxmox instance from the WEB GUI over an insecure network (as Internet), you really should consider using a signed certificate, to prevent MITM attacks.
For this, you can follow the official ACME documentation.
Conclusion
'hope it helped you !
Here are the references that allow me to perform some tests and write this post :
PS : This blog post will be updated (or not) according to the conclusion of this very old issue.
EDIT 2019-03-29 : Updated ! See here for more information.