diff --git a/config_files/.screenrc b/config_files/.screenrc index f205a39..26332de 100644 --- a/config_files/.screenrc +++ b/config_files/.screenrc @@ -49,6 +49,7 @@ screen -t tutos_screen vim -n ./tutos/screen.txt screen -t tutos_git vim -n ./tutos/git.txt screen -t tutos_sites vim -n ./tutos/sites.txt screen -t tutos_computer vim -n ./tutos/computer.txt +screen -t tutos_server vim -n ./tutos/server.md chdir $HOME screen diff --git a/tutos/server.md b/tutos/server.md new file mode 100644 index 0000000..f451da5 --- /dev/null +++ b/tutos/server.md @@ -0,0 +1,111 @@ + +## how to secure a proxmox server : + +--- + +### 1. Update and Patch Regularly + Ensure that both Debian and Proxmox are always up to date with the latest security patches and updates. + ```sh + apt update && apt upgrade -y + ``` + Consider setting up unattended upgrades for security patches. + +### 2. Secure SSH Access + - **Change the default SSH port** from 22 to a less common port to reduce exposure to automated attacks. + ```sh + sudo nano /etc/ssh/sshd_config + ``` + Change the `Port` setting and restart the SSH service. + - **Disable root login** via SSH. + ```sh + PermitRootLogin no + ``` + - **Use SSH keys** for authentication instead of passwords. + ```sh + # Generate a key pair on your local machine + ssh-keygen + + # Copy the public key to the server + ssh-copy-id user@server_ip + ``` + - **Use Fail2Ban** to prevent brute-force attacks. + ```sh + apt install fail2ban + ``` + Configure Fail2Ban to monitor SSH login attempts. + +### 3. Set Up a Firewall + Use `iptables` or `ufw` to configure a firewall. + - **Install and configure UFW**: + ```sh + apt install ufw + ufw default deny incoming + ufw default allow outgoing + ufw allow ssh + ufw allow 8006/tcp # Proxmox web interface + ufw enable + ``` + +### 4. Secure the Proxmox Web Interface + - **Use HTTPS**: Ensure that the Proxmox web interface uses HTTPS. Proxmox generates a self-signed certificate by default, but you can replace it with a certificate from a trusted CA. + ```sh + apt install certbot + certbot certonly --standalone -d your_domain + ``` + - **Restrict access** to the web interface to specific IP addresses. + ```sh + ufw allow from your_ip to any port 8006 + ``` + +### 5. Enable Two-Factor Authentication (2FA) + - Log in to the Proxmox web interface. + - Navigate to `Datacenter -> Permissions -> Realms`. + - Edit your realm (usually `pam`) and enable Two-Factor Authentication. + +### 6. Monitor and Log + - **Install monitoring tools** like `Zabbix`, `Prometheus`, or `Nagios`. + - **Configure logging** and log monitoring. + ```sh + apt install rsyslog + ``` + Ensure rsyslog is properly configured to log system events and monitor these logs for suspicious activity. + +### 7. Limit User Privileges + - Create user accounts with the minimum necessary privileges. + - Use Proxmox’s role-based access control (RBAC) to manage user permissions. + +### 8. Disable Unnecessary Services + - Identify and disable any unnecessary services to reduce the attack surface. + ```sh + systemctl list-unit-files | grep enabled + systemctl disable + ``` + +### 9. Regular Backups + - Regularly back up your Proxmox configuration and VMs. + - Ensure backups are stored securely and can be restored quickly in case of an incident. + +### 10. Intrusion Detection System (IDS) + - Install and configure an IDS like `Snort` or `OSSEC`. + ```sh + apt install snort + ``` + Configure Snort to monitor network traffic for suspicious activities. + +### 11. Secure NTP Configuration + - Ensure accurate timekeeping with NTP or chrony, but secure it to prevent exploitation. + ```sh + apt install ntp + ``` + Edit the configuration to restrict access. + +### 12. Physical Security + - Ensure the physical security of your server hardware. + - Use BIOS/UEFI passwords and ensure only authorized personnel have access. + +### 13. Disable IPv6 (if not needed) + - If your network does not use IPv6, disable it to reduce the attack surface. + ```sh + echo "net.ipv6.conf.all.disable_ipv6 = 1" >> /etc/sysctl.conf + sysctl -p + ```