110 lines
3.8 KiB
Markdown
110 lines
3.8 KiB
Markdown
---
|
|
title: "Hardening Proxmox, some in one place"
|
|
date: 2019-01-11
|
|
url: hardening-proxmox-some-in-one-place
|
|
layout: post
|
|
category: Security
|
|
image: /img/blog/hardening-proxmox-some-in-one-place.png
|
|
description: "A (potentially wrong) write-up about Proxmox standalone instance optimizations"
|
|
---
|
|
|
|
[![A missing blog post image](/img/blog/hardening-proxmox-some-in-one-place.png)](/img/blog/hardening-proxmox-some-in-one-place.png)
|
|
|
|
### Introduction
|
|
|
|
**Proxmox** is _nothing_ more than a Debian distribution with some additional packages on top of it (including a custom kernel though).
|
|
This allows us to apply some _basic_ GNU/Linux hardening to the system, thus acting as an hyper-visor.
|
|
|
|
During this guide, we'll go through reverse proxy hardening, RPC / NFS deactivation and IPv6 "soft-disabling".
|
|
|
|
:warning: **These blog post procedures DON'T REPLACE PROPER FIREWALL RULES AT ALL.** :warning:
|
|
|
|
### The procedure
|
|
|
|
#### PVEProxy hardening
|
|
|
|
The **PVEProxy** is the component responsible for the Proxmox WEB interface communication.
|
|
It's nothing more that a specific reverse proxy.
|
|
Thus, we can apply _regular_ cryptographic hardening (`/etc/default/pveproxy`) :
|
|
|
|
{% highlight config %}
|
|
CIPHERS="ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256"
|
|
|
|
# For PVE-Manager >= 5.3 only.
|
|
COMPRESSION="0"
|
|
HONOR_CIPHER_ORDER="1"
|
|
{% endhighlight %}
|
|
|
|
We can also apply some access control rules (`/etc/default/pveproxy` too) :
|
|
|
|
{% highlight config %}
|
|
DENY_FROM="all"
|
|
ALLOW_FROM="YOUR.PRIVATE.IP.RANGE/24,YOUR.HOME.IP.ADDRESS"
|
|
POLICY="allow"
|
|
|
|
# For PVE-Manager >= 6.4 only.
|
|
LISTEN_IP="ADMIN.SERVER.IP.ADDRESS"
|
|
{% endhighlight %}
|
|
|
|
#### Disabling RPC / NFS services
|
|
|
|
If your hyper-visor won't need running **NFS** service, it's safe to disable it.
|
|
|
|
From `/etc/default/nfs-common`, set :
|
|
|
|
{% highlight config %}
|
|
NEED_STATD=no
|
|
{% endhighlight %}
|
|
|
|
You can also disable **RPC** services :
|
|
|
|
{% highlight bash %}
|
|
systemctl disable --now rpcbind.service rpcbind.socket
|
|
{% endhighlight %}
|
|
|
|
You only have to `reboot` now, and you will be able to verify the sockets that are listening with `ss -atlnup` :wink:
|
|
|
|
#### IPv6 sockets
|
|
|
|
You don't have any IPv6 address, or don't have a specific need to listen to anything against this protocol ? You can safely disable those sockets.
|
|
|
|
By default, **Postfix** is listening to any protocols, let's disable it (`/etc/postfix/main.cf`) :
|
|
|
|
{% highlight config %}
|
|
inet_protocols = ipv4
|
|
{% endhighlight %}
|
|
|
|
... and then restart the service :
|
|
|
|
{% highlight bash %}
|
|
systemctl restart postfix.service
|
|
{% endhighlight %}
|
|
|
|
Another IPv6 socket is opened by **OpenSSH-Server**. Let's do the same operation (`/etc/ssh/sshd_config`) :
|
|
|
|
{% highlight config %}
|
|
AddressFamily inet
|
|
{% endhighlight %}
|
|
|
|
{% highlight bash %}
|
|
systemctl restart ssh.service
|
|
{% endhighlight %}
|
|
|
|
#### PVEProxy TLS certificate
|
|
|
|
If you consider administrating your Proxmox instance from the **WEB GUI** over an insecure network (as Internet), you really should consider using a signed certificate, to prevent MITM attacks.
|
|
For this, you can follow the official [ACME documentation](https://pve.proxmox.com/wiki/Certificate_Management).
|
|
|
|
### Conclusion
|
|
|
|
'hope it helped you !
|
|
|
|
Here are the references that allow me to perform some tests and write this post :
|
|
|
|
* [Some hardening example for PVE on public IP](https://forum.proxmox.com/threads/some-hardening-example-for-pve-on-public-ip.16557/)
|
|
|
|
* [pveproxy(8)](https://pve.proxmox.com/pve-docs/pveproxy.8.html)
|
|
|
|
> ~~PS : This blog post will be updated (or not) according to the [conclusion of this very old issue](https://forum.proxmox.com/threads/pveproxy-disable-weak-ssl-ciphers.14794/).~~
|
|
> EDIT 2019-03-29 : Updated ! See [here](https://bugzilla.proxmox.com/show_bug.cgi?id=2069) for more information.
|