A missing blog post image

Introduction

Proxmox is nothing more than a Debian distribution with some additional packages on top of it (including a custom kernel though).
This allows us to apply some basic GNU/Linux hardening to the system, thus acting as an hyper-visor.

During this guide, we’ll go through reverse proxy hardening, RPC / NFS deactivation and IPv6 “soft-disabling”.

:warning: These blog post procedures DON’T REPLACE PROPER FIREWALL RULES AT ALL. :warning:

The procedure

PVEProxy hardening

The PVEProxy is the component responsible for the Proxmox WEB interface communication.
It’s nothing more that a specific reverse proxy.
Thus, we can apply regular cryptographic hardening (/etc/default/pveproxy) :

CIPHERS="ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256"

# For PVE-Manager >= 5.3 only.
COMPRESSION="0"
HONOR_CIPHER_ORDER="1"

We can also apply some access control rules (/etc/default/pveproxy too) :

DENY_FROM="all"
ALLOW_FROM="YOUR.PRIVATE.IP.RANGE/24,YOUR.HOME.IP.ADDRESS"
POLICY="allow"

Disabling RPC / NFS services

If your hyper-visor won’t need running NFS service, it’s safe to disable it.

From /etc/default/nfs-common, set :

NEED_STATD=no

You can also disable RPC services :

systemctl disable --now rpcbind.service rpcbind.socket

You only have to reboot now, and you will be able to verify the sockets that are listening with ss -atlnup :wink:

IPv6 sockets

You don’t have any IPv6 address, or don’t have a specific need to listen to anything against this protocol ? You can safely disable those sockets.

By default, Postfix is listening to any protocols, let’s disable it (/etc/postfix/main.cf) :

inet_protocols = ipv4

… and then restart the service :

systemctl restart postfix.service

Another IPv6 socket is opened by OpenSSH-Server. Let’s do the same operation (/etc/ssh/sshd_config) :

AddressFamily inet
systemctl restart ssh.service

PVEProxy TLS certificate

If you consider administrating your Proxmox instance from the WEB GUI over an insecure network (as Internet), you really should consider using a signed certificate, to prevent MITM attacks.
For this, you can follow the official ACME documentation.

Conclusion

‘hope it helped you !

Here are the references that allow me to perform some tests and write this post :

PS : This blog post will be updated (or not) according to the conclusion of this very old issue.
EDIT 2019-03-29 : Updated ! See here for more information.