perso/huhuhu_config
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
22d3378d2a5f819b3545630fcac69d38ac6c8539
huhuhu_config/tutos/server.md
asus 22d3378d2a added tuto server
2024-06-12 15:27:53 +02:00

3.3 KiB
Raw Blame History

how to secure a proxmox server :

1. Update and Patch Regularly

Ensure that both Debian and Proxmox are always up to date with the latest security patches and updates.
```sh
apt update && apt upgrade -y
```
Consider setting up unattended upgrades for security patches.

2. Secure SSH Access

- **Change the default SSH port** from 22 to a less common port to reduce exposure to automated attacks.
```sh
sudo nano /etc/ssh/sshd_config
```
Change the `Port` setting and restart the SSH service.
- **Disable root login** via SSH.
```sh
PermitRootLogin no
```
- **Use SSH keys** for authentication instead of passwords.
```sh
# Generate a key pair on your local machine
ssh-keygen

# Copy the public key to the server
ssh-copy-id user@server_ip
```
- **Use Fail2Ban** to prevent brute-force attacks.
```sh
apt install fail2ban
```
Configure Fail2Ban to monitor SSH login attempts.

3. Set Up a Firewall

Use `iptables` or `ufw` to configure a firewall.
- **Install and configure UFW**:
```sh
apt install ufw
ufw default deny incoming
ufw default allow outgoing
ufw allow ssh
ufw allow 8006/tcp  # Proxmox web interface
ufw enable
```

4. Secure the Proxmox Web Interface

- **Use HTTPS**: Ensure that the Proxmox web interface uses HTTPS. Proxmox generates a self-signed certificate by default, but you can replace it with a certificate from a trusted CA.
```sh
apt install certbot
certbot certonly --standalone -d your_domain
```
- **Restrict access** to the web interface to specific IP addresses.
```sh
ufw allow from your_ip to any port 8006
```

5. Enable Two-Factor Authentication (2FA)

- Log in to the Proxmox web interface.
- Navigate to `Datacenter -> Permissions -> Realms`.
- Edit your realm (usually `pam`) and enable Two-Factor Authentication.

6. Monitor and Log

- **Install monitoring tools** like `Zabbix`, `Prometheus`, or `Nagios`.
- **Configure logging** and log monitoring.
```sh
apt install rsyslog
```
Ensure rsyslog is properly configured to log system events and monitor these logs for suspicious activity.

7. Limit User Privileges

- Create user accounts with the minimum necessary privileges.
- Use Proxmoxs role-based access control (RBAC) to manage user permissions.

8. Disable Unnecessary Services

- Identify and disable any unnecessary services to reduce the attack surface.
```sh
systemctl list-unit-files | grep enabled
systemctl disable <service_name>
```

9. Regular Backups

- Regularly back up your Proxmox configuration and VMs.
- Ensure backups are stored securely and can be restored quickly in case of an incident.

10. Intrusion Detection System (IDS)

- Install and configure an IDS like `Snort` or `OSSEC`.
```sh
apt install snort
```
Configure Snort to monitor network traffic for suspicious activities.

11. Secure NTP Configuration

- Ensure accurate timekeeping with NTP or chrony, but secure it to prevent exploitation.
```sh
apt install ntp
```
Edit the configuration to restrict access.

12. Physical Security

- Ensure the physical security of your server hardware.
- Use BIOS/UEFI passwords and ensure only authorized personnel have access.

13. Disable IPv6 (if not needed)

- If your network does not use IPv6, disable it to reduce the attack surface.
```sh
echo "net.ipv6.conf.all.disable_ipv6 = 1" >> /etc/sysctl.conf
sysctl -p
```
Reference in New Issue View Git Blame Copy Permalink