perso/huhuhu_config
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
22d3378d2a5f819b3545630fcac69d38ac6c8539
huhuhu_config/tutos/server.md
asus 22d3378d2a added tuto server
2024-06-12 15:27:53 +02:00

112 lines
3.3 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
## how to secure a proxmox server :
---
### 1. Update and Patch Regularly
Ensure that both Debian and Proxmox are always up to date with the latest security patches and updates.
```sh
apt update && apt upgrade -y
```
Consider setting up unattended upgrades for security patches.
### 2. Secure SSH Access
- **Change the default SSH port** from 22 to a less common port to reduce exposure to automated attacks.
```sh
sudo nano /etc/ssh/sshd_config
```
Change the `Port` setting and restart the SSH service.
- **Disable root login** via SSH.
```sh
PermitRootLogin no
```
- **Use SSH keys** for authentication instead of passwords.
```sh
# Generate a key pair on your local machine
ssh-keygen
# Copy the public key to the server
ssh-copy-id user@server_ip
```
- **Use Fail2Ban** to prevent brute-force attacks.
```sh
apt install fail2ban
```
Configure Fail2Ban to monitor SSH login attempts.
### 3. Set Up a Firewall
Use `iptables` or `ufw` to configure a firewall.
- **Install and configure UFW**:
```sh
apt install ufw
ufw default deny incoming
ufw default allow outgoing
ufw allow ssh
ufw allow 8006/tcp # Proxmox web interface
ufw enable
```
### 4. Secure the Proxmox Web Interface
- **Use HTTPS**: Ensure that the Proxmox web interface uses HTTPS. Proxmox generates a self-signed certificate by default, but you can replace it with a certificate from a trusted CA.
```sh
apt install certbot
certbot certonly --standalone -d your_domain
```
- **Restrict access** to the web interface to specific IP addresses.
```sh
ufw allow from your_ip to any port 8006
```
### 5. Enable Two-Factor Authentication (2FA)
- Log in to the Proxmox web interface.
- Navigate to `Datacenter -> Permissions -> Realms`.
- Edit your realm (usually `pam`) and enable Two-Factor Authentication.
### 6. Monitor and Log
- **Install monitoring tools** like `Zabbix`, `Prometheus`, or `Nagios`.
- **Configure logging** and log monitoring.
```sh
apt install rsyslog
```
Ensure rsyslog is properly configured to log system events and monitor these logs for suspicious activity.
### 7. Limit User Privileges
- Create user accounts with the minimum necessary privileges.
- Use Proxmoxs role-based access control (RBAC) to manage user permissions.
### 8. Disable Unnecessary Services
- Identify and disable any unnecessary services to reduce the attack surface.
```sh
systemctl list-unit-files | grep enabled
systemctl disable <service_name>
```
### 9. Regular Backups
- Regularly back up your Proxmox configuration and VMs.
- Ensure backups are stored securely and can be restored quickly in case of an incident.
### 10. Intrusion Detection System (IDS)
- Install and configure an IDS like `Snort` or `OSSEC`.
```sh
apt install snort
```
Configure Snort to monitor network traffic for suspicious activities.
### 11. Secure NTP Configuration
- Ensure accurate timekeeping with NTP or chrony, but secure it to prevent exploitation.
```sh
apt install ntp
```
Edit the configuration to restrict access.
### 12. Physical Security
- Ensure the physical security of your server hardware.
- Use BIOS/UEFI passwords and ensure only authorized personnel have access.
### 13. Disable IPv6 (if not needed)
- If your network does not use IPv6, disable it to reduce the attack surface.
```sh
echo "net.ipv6.conf.all.disable_ipv6 = 1" >> /etc/sysctl.conf
sysctl -p
```
Reference in New Issue View Git Blame Copy Permalink