Proxmox is nothing more than a Debian distribution with some additional packages on top of it (including a custom kernel though).
This allows us to apply some basic GNU/Linux hardening to the system, thus acting as an hyper-visor.
During this guide, we’ll go through reverse proxy hardening, RPC / NFS deactivation and IPv6 “soft-disabling”.
These blog post procedures DON’T REPLACE PROPER FIREWALL RULES AT ALL.
The PVEProxy is the component responsible for the Proxmox WEB interface communication.
It’s nothing more that a specific reverse proxy.
Thus, we can apply regular cryptographic hardening (
We can also apply some access control rules (
/etc/default/pveproxy too) :
Disabling RPC / NFS services
If your hyper-visor won’t need running NFS service, it’s safe to disable it.
/etc/default/nfs-common, set :
You can also disable RPC services :
You only have to
reboot now, and you will be able to verify the sockets that are listening with
You don’t have any IPv6 address, or don’t have a specific need to listen to anything against this protocol ? You can safely disable those sockets.
By default, Postfix is listening to any protocols, let’s disable it (
… and then restart the service :
Another IPv6 socket is opened by OpenSSH-Server. Let’s do the same operation (
PVEProxy TLS certificate
If you consider administrating your Proxmox instance from the WEB GUI over an insecure network (as Internet), you really should consider using a signed certificate, to prevent MITM attacks.
For this, you can follow the official ACME documentation.
‘hope it helped you !
Here are the references that allow me to perform some tests and write this post :
PS : This blog post will be updated (or not) according to the conclusion of this very old issue.