A missing blog post image


Proxmox is nothing more than a Debian distribution with some additional packages on top of it (including a custom kernel though).
This allows us to apply some basic GNU/Linux hardening to the system, thus acting as an hyper-visor.

During this guide, we’ll go through reverse proxy hardening, RPC / NFS deactivation and IPv6 “soft-disabling”.

:warning: These blog post procedures DON’T REPLACE PROPER FIREWALL RULES AT ALL. :warning:

The procedure

PVEProxy hardening

The PVEProxy is the component responsible for the Proxmox WEB interface communication.
It’s nothing more that a specific reverse proxy.
Thus, we can apply regular cryptographic hardening (/etc/default/pveproxy) :


We can also apply some access control rules (/etc/default/pveproxy too) :


Disabling RPC / NFS services

If your hyper-visor won’t need running NFS service, it’s safe to disable it.

From /etc/default/nfs-common, set :


You can also disable RPC services :

systemctl disable --now rpcbind.service rpcbind.socket

You only have to reboot now, and you will be able to verify the sockets that are listening with ss -atlnup :wink:

IPv6 sockets

You don’t have any IPv6 address, or don’t have a specific need to listen to anything against this protocol ? You can safely disable those sockets.

By default, Postfix is listening to any protocols, let’s disable it (/etc/postfix/main.cf) :

inet_protocols = ipv4

… and then restart the service :

systemctl restart postfix.service

Another IPv6 socket is opened by OpenSSH-Server. Let’s do the same operation (/etc/ssh/sshd_config) :

AddressFamily inet
systemctl restart ssh.service

PVEProxy TLS certificate

If you consider administrating your Proxmox instance from the WEB GUI over an insecure network (as Internet), you really should consider using a signed certificate, to prevent MITM attacks.
For this, you can follow the official ACME documentation.


‘hope it helped you !

Here are the references that allow me to perform some tests and write this post :

PS : This blog post will be updated (or not) according to the conclusion of this very old issue.