Activate Firewall on Proxmox VE4

2707011_origProxmox VE4 is shipped with basic security. Your GUI operates with a mandatory password protected (sic) root (sic) login, that also happens to be the root password of the box itself (holy cow) and starts an SSH daemon that accepts good old root/password auth. Groovy!

Of course you could live with this if the server lives on a DMZ on your intranet, but if you set-up proxmox with a public IP address, you should do some basic security tuning.

Default install of Proxmox VE4 listens on multiple ports, some localhost only, some global.

root@proxmox:~# netstat -tnlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 7091/rpcbind 
tcp 0 0 127.0.0.1:85 0.0.0.0:* LISTEN 23429/pvedaemon wor
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1857/sshd 
tcp 0 0 0.0.0.0:3128 0.0.0.0:* LISTEN 8763/spiceproxy 
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2092/master 
tcp 0 0 0.0.0.0:40481 0.0.0.0:* LISTEN 7458/rpc.statd 
tcp 0 0 127.0.0.1:17123 0.0.0.0:* LISTEN 25656/python 
tcp 0 0 0.0.0.0:35876 0.0.0.0:* LISTEN - 
tcp 0 0 0.0.0.0:8006 0.0.0.0:* LISTEN 3392/pveproxy worke
tcp6 0 0 :::36686 :::* LISTEN - 
tcp6 0 0 :::111 :::* LISTEN 7091/rpcbind 
tcp6 0 0 :::22 :::* LISTEN 1857/sshd 
tcp6 0 0 ::1:25 :::* LISTEN 2092/master 
tcp6 0 0 :::59391 :::* LISTEN 7458/rpc.statd

None of this is really life threatening ; the worst of them is probably rpc statd ; and also the fact a lot of stuff listen on both IPV4 and IPV6 like the SSH daemon. I’m not saying ipv6 is bad : I’m just underlining the fact that it’s there, it listens, and it will be accessible wordwide if your server has an active ipv6 address. So you have to firewall that correctly as well.

If you install Proxmox with OVH as an hosting provider (using their proxmox install images), they add a local BIND server listening on all interfaces and (although it doesn’t reply recursively), this should be fixed as well.

Activate the firewall

ProxmoxVE4 comes with a fine (iptables based) firewall that is deactivated by default.

I suggest to activate the firewall. PVE’s doc doesn’t really help, as usual, so here’s how to do it :

First of all, create rules that will prevent from locking you out. I chose to add the rules in the “datacenter” tab, but you could do it in “Node” as well. Don’t forget to add a destination IP ( your GUI’s IP ). Open ports 22 and 8006 tcp. Check “enable” on both.

Image2

Then go to the options “sub tab” (the tabs below the rules) , and activate

  • default policy to “drop”
  • and set firewall to “on”.

If you’re afraid of loosing control of your server, and something that flushes iptables in the crontab  🙂

Image6

Of course these are basic rules, as we’ve just opened again the same ports.

You should refine the rules and limit port 8006 and 22 to your own IP ranges. (I’ve activated ICMP very broadly, you should refine this too.) You could also create a VPN between you and the proxmox server to get rid of that listening port once and for all.

Now that Firewall is activated at “datacenter” level, you can also use it on your guests (VMs). This is especially useful in bridged mode, which is the default.

Note that this basic (ipv4) rules also break ipv6/icmp6, so it probably breaks ipv6.

Take some time to fix :

  1. The rpd/statd configuration should be edited (/etc/default/*)
  2. The SSH configuration (disable password auth), make it listen ipv4 only, etc.
  3. On OVH’s Proxmox releases, the BIND configuration should be fixed so that it listens on localhost only.

Please keep in mind that Proxmox relies on password authentication on SSH for some cluster operations (adding cluster nodes especially).

3 réflexions au sujet de « Activate Firewall on Proxmox VE4 »

  • As far as I know, all the firewall changes are done live and do not require a restart.

    HOWEVER there was a bug recently , after upgrading proxmox with a routine dist-upgrade the firewall rules were broken – and backups/sanpshots were impossible to take anymore (!) – and a restart of the entire infrastructure was needed.

Laisser un commentaire

Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *