Proxmox VE4 is shipped with basic security. Your GUI operates with a mandatory password protected (sic) root (sic) login, that also happens to be the root password of the box itself (holy cow) and starts an SSH daemon that accepts good old root/password auth. Groovy!
Of course you could live with this if the server lives on a DMZ on your intranet, but if you set-up proxmox with a public IP address, you should do some basic security tuning.
Default install of Proxmox VE4 listens on multiple ports, some localhost only, some global.
root@proxmox:~# netstat -tnlp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 7091/rpcbind tcp 0 0 127.0.0.1:85 0.0.0.0:* LISTEN 23429/pvedaemon wor tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1857/sshd tcp 0 0 0.0.0.0:3128 0.0.0.0:* LISTEN 8763/spiceproxy tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2092/master tcp 0 0 0.0.0.0:40481 0.0.0.0:* LISTEN 7458/rpc.statd tcp 0 0 127.0.0.1:17123 0.0.0.0:* LISTEN 25656/python tcp 0 0 0.0.0.0:35876 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:8006 0.0.0.0:* LISTEN 3392/pveproxy worke tcp6 0 0 :::36686 :::* LISTEN - tcp6 0 0 :::111 :::* LISTEN 7091/rpcbind tcp6 0 0 :::22 :::* LISTEN 1857/sshd tcp6 0 0 ::1:25 :::* LISTEN 2092/master tcp6 0 0 :::59391 :::* LISTEN 7458/rpc.statd
None of this is really life threatening ; the worst of them is probably rpc statd ; and also the fact a lot of stuff listen on both IPV4 and IPV6 like the SSH daemon. I’m not saying ipv6 is bad : I’m just underlining the fact that it’s there, it listens, and it will be accessible wordwide if your server has an active ipv6 address. So you have to firewall that correctly as well.
If you install Proxmox with OVH as an hosting provider (using their proxmox install images), they add a local BIND server listening on all interfaces and (although it doesn’t reply recursively), this should be fixed as well.
Activate the firewall
ProxmoxVE4 comes with a fine (iptables based) firewall that is deactivated by default.
I suggest to activate the firewall. PVE’s doc doesn’t really help, as usual, so here’s how to do it :
First of all, create rules that will prevent from locking you out. I chose to add the rules in the “datacenter” tab, but you could do it in “Node” as well. Don’t forget to add a destination IP ( your GUI’s IP ). Open ports 22 and 8006 tcp. Check “enable” on both.
Then go to the options “sub tab” (the tabs below the rules) , and activate
- default policy to “drop”
- and set firewall to “on”.
If you’re afraid of loosing control of your server, and something that flushes iptables in the crontab 🙂
Of course these are basic rules, as we’ve just opened again the same ports.
You should refine the rules and limit port 8006 and 22 to your own IP ranges. (I’ve activated ICMP very broadly, you should refine this too.) You could also create a VPN between you and the proxmox server to get rid of that listening port once and for all.
Now that Firewall is activated at “datacenter” level, you can also use it on your guests (VMs). This is especially useful in bridged mode, which is the default.
Note that this basic (ipv4) rules also break ipv6/icmp6, so it probably breaks ipv6.
Take some time to fix :
- The rpd/statd configuration should be edited (/etc/default/*)
- The SSH configuration (disable password auth), make it listen ipv4 only, etc.
- On OVH’s Proxmox releases, the BIND configuration should be fixed so that it listens on localhost only.
Please keep in mind that Proxmox relies on password authentication on SSH for some cluster operations (adding cluster nodes especially).