Proxmox 8 Hardening: From Default Install to Production-Ready

Running Proxmox in your homelab or small-scale production environment is great until you realize how many attack surfaces and security holes are exposed by default. The out-of-the-box setup, while functional, leaves a lot of room for improvement when it comes to securing your infrastructure. This deep dive will guide you through the essential steps needed to harden Proxmox 8 from its initial state into a more secure configuration.

Secure Your Initial Setup

The first step is to ensure that everything in your initial setup is locked down properly. Start by disabling unnecessary services and ensuring only required network ports are open.

Disable Unnecessary Services

Proxmox comes with several services pre-installed, but not all of them are necessary for a typical homelab or small-scale deployment. For example, you can disable the vzdump service if you're managing backups through another method: 
systemctl stop vzdump
systemctl disable vzdump

You should also evaluate other services like pve-ha-crm, corosync, and pve-cluster. If these are not needed, they can be safely disabled to reduce the attack surface.

Secure SSH Configuration

SSH is a critical service for accessing your Proxmox node. By default, it allows root login and uses port 22. Change these defaults:

1. Change SSH Port: Modify /etc/ssh/sshd_config to use a non-standard port (e.g., Port 2200).

   # Edit the config file
   vi /etc/ssh/sshd_config
   
   # Add or modify the following line:
   Port 2200
   
   # Restart SSH service
   systemctl restart sshd

2. Disable Root Login: Prevent root login via SSH to avoid brute-force attacks on your primary account.

   vi /etc/ssh/sshd_config
   
   # Add or modify the following line:
   PermitRootLogin no
   
   # Restart SSH service
   systemctl restart sshd

Secure Web Interface Access

The Proxmox web interface is another critical component that needs to be secured. By default, it listens on port 8006 and can be accessed by any user with a valid account.

Enable HTTPS for the Web UI

To secure communication between your browser and the Proxmox web interface, enable HTTPS:

1. Install Certbot: Use Let's Encrypt to get free SSL certificates.

   apt update && apt install certbot -y
   
   # Obtain a certificate (replace with your domain)
   certbot certonly --standalone -d example.com

2. Configure HTTPS in Proxmox:

Edit /etc/pve/httpd.conf to include SSL settings.

   vi /etc/pve/httpd.conf
   
   # Add the following lines at the end of the file:
   <VirtualHost _default_:80>
       ServerName example.com
       RewriteEngine On
       RewriteRule ^(.)$ https://%{HTTP_HOST}$1 [L,R=301]
   </VirtualHost>

<VirtualHost _default_:443>
       DocumentRoot /usr/share/pve-manager/
       SSLEngine on
       SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
       SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
       # ... (other existing configurations)
   </VirtualHost>
   
   # Restart Proxmox web interface
   systemctl restart pveproxy

Restrict Access via IP Whitelisting

Limit access to the web UI from specific IP addresses by editing /etc/pam.d/proxweb: 
vi /etc/pam.d/proxweb

Add the following line at the top:

auth       required     pam_access.so

Edit /etc/security/access.conf and add:

+ : ALL : 192.168.0.0/24

  • : ALL : ALL
    •

Secure Storage and Backups

Storage security is crucial for maintaining data integrity. Proxmox offers various storage types, but LVM or ZFS are generally more secure due to their snapshotting capabilities.

Enable Transparent Data Encryption (TDE)

Encrypt your storage volumes using dm-crypt:

1. Create an Encrypted Volume:

   cryptsetup luksFormat /dev/sdb1
   
   cryptsetup open /dev/sdb1 my_encrypted_volume

2. Add to LVM:

   pvcreate /dev/mapper/my_encrypted_volume
   vgcreate proxmox_vg /dev/mapper/my_encrypted_volume
   lvcreate -L 50G -n vm_storage proxmox_vg
   
   # Format and mount the volume
   mkfs.ext4 /dev/proxmox_vg/vm_storage
   mkdir /mnt/vm_storage
   mount /dev/proxmox_vg/vm_storage /mnt/vm_storage

Automate Backups with Secure Storage

Ensure backups are encrypted and stored securely. Use vzdump for VM snapshots: 
# Example backup script
#!/bin/bash

VZDUMP_OPTIONS="--mode stop --compress lzo --stdout"
BACKUP_DIR="/mnt/backup"
DATE=$(date +"%Y%m%d")


for vm in $(qm list | awk '{print $1}' | tail -n +2); do
    vzdump $vm $VZDUMP_OPTIONS > "${BACKUP_DIR}/proxmox-vm${vm}-${DATE}.tar.lzo"
done


Encrypt backups

cd $BACKUP_DIR
gpg --symmetric --cipher-algo AES256 .tar.lzo

Bottom Line

Securing Proxmox 8 from its default configuration is crucial to protect your homelab or small-scale infrastructure. By disabling unnecessary services, securing SSH and the web interface, enabling encryption for storage, and automating secure backups, you can significantly reduce potential attack surfaces and enhance overall security. While these steps are essential, ongoing vigilance and regular updates are also key components of maintaining a robust and secure environment.

Remember, security is an ever-evolving field. Stay informed about new vulnerabilities and best practices to keep your setup as secure as possible.