blog/_posts/2019-01-11-hardening-proxmox-some-in-one-place.md

---
title: "Hardening Proxmox, some in one place"
date: 2019-01-11
last_modified_at: 2024-12-21 17:17
url: hardening-proxmox-some-in-one-place
layout: post
category: Security
image: /img/blog/hardening-proxmox-some-in-one-place.png
description: "A (potentially wrong) write-up about Proxmox standalone instance optimizations"
---

[![A missing blog post image](/img/blog/hardening-proxmox-some-in-one-place.png)](/img/blog/hardening-proxmox-some-in-one-place.png)

### Introduction

**Proxmox** is _nothing_ more than a Debian distribution with some additional packages on top of it (including a custom kernel though).  
This allows us to apply some _basic_ GNU/Linux hardening to the system, thus acting as an hyper-visor.

During this guide, we'll go through reverse proxy hardening, RPC / NFS deactivation and IPv6 "soft-disabling".

:warning: **These blog post procedures DON'T REPLACE PROPER FIREWALL RULES AT ALL.** :warning:

### The procedure

#### PVEProxy hardening

The **PVEProxy** is the component responsible for the Proxmox WEB interface communication.  
It's nothing more that a specific reverse proxy.  
Thus, we can apply _regular_ cryptographic hardening (`/etc/default/pveproxy`) :

{% highlight config %}
CIPHERS="ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256"

# For PVE-Manager >= 5.3 only.
COMPRESSION="0"
HONOR_CIPHER_ORDER="1"
{% endhighlight %}

We can also apply some access control rules (`/etc/default/pveproxy` too) :

{% highlight config %}
DENY_FROM="all"
ALLOW_FROM="YOUR.PRIVATE.IP.RANGE/24,YOUR.HOME.IP.ADDRESS"
POLICY="allow"

# For PVE-Manager >= 6.4 only.
LISTEN_IP="ADMIN.SERVER.IP.ADDRESS"
{% endhighlight %}

#### Disabling RPC / NFS services

If your hyper-visor won't need running **NFS** service, it's safe to disable it.

From `/etc/default/nfs-common`, set :

{% highlight config %}
NEED_STATD=no
{% endhighlight %}

You can also disable **RPC** services :

{% highlight bash %}
systemctl disable --now rpcbind.service rpcbind.socket rpc-statd-notify.service
{% endhighlight %}

You only have to `reboot` now, and you will be able to verify the sockets that are listening with `ss -atlnup` :wink:

#### IPv6 sockets

You don't have any IPv6 address, or don't have a specific need to listen to anything against this protocol ? You can safely disable those sockets.

By default, **Postfix** is listening to any protocols, let's disable it (`/etc/postfix/main.cf`) :

{% highlight config %}
inet_protocols = ipv4
{% endhighlight %}

... and then restart the service :

{% highlight bash %}
systemctl restart postfix.service
{% endhighlight %}

Another IPv6 socket is opened by **OpenSSH-Server**. Let's do the same operation (`/etc/ssh/sshd_config`) :

{% highlight config %}
AddressFamily inet
{% endhighlight %}

{% highlight bash %}
systemctl restart ssh.service
{% endhighlight %}

#### PVEProxy TLS certificate

If you consider administrating your Proxmox instance from the **Web GUI** over an insecure network (as Internet), you really should consider using a signed certificate, to prevent MITM attacks.  
For this, you can follow the official [ACME documentation](https://pve.proxmox.com/wiki/Certificate_Management).

### Conclusion

'hope it helped you !

Here are the references that allow me to perform some tests and write this post :

* [Some hardening example for PVE on public IP](https://forum.proxmox.com/threads/some-hardening-example-for-pve-on-public-ip.16557/)

* [pveproxy(8)](https://pve.proxmox.com/pve-docs/pveproxy.8.html)

> ~~PS : This blog post will be updated (or not) according to the [conclusion of this very old issue](https://forum.proxmox.com/threads/pveproxy-disable-weak-ssl-ciphers.14794/).~~  
> EDIT 2019-03-29 : Updated ! See [here](https://bugzilla.proxmox.com/show_bug.cgi?id=2069) for more information.