Mirrors/ProxMenux
1
0
Fork 0
mirror of https://github.com/MacRimi/ProxMenux.git synced 2025-06-28 12:16:53 +00:00
Code Issues Packages Projects Releases Wiki Activity

Update

Browse Source
This commit is contained in:
MacRimi 2025-03-02 17:08:28 +01:00
parent c1a604cc0e
commit 633de9bd15
1 changed files with 66 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

83
web/app/docs/post-install/security/page.tsx
View File

@ -71,53 +71,75 @@ systemctl stop rpcbind
`} `}
/> />
<h3 className="text-xl font-semibold mt-16 mb-4 flex items-center"> <h3 className="text-xl font-semibold mt-16 mb-4 flex items-center">
<StepNumber number={2} /> <StepNumber number={2} />
Install Lynis Security Tool Install Lynis Security Tool
</h3> </h3>
<p className="mb-4"> <p className="mb-4">
This optimization installs Lynis, a powerful security auditing tool for Unix-based systems. Lynis is a comprehensive security auditing tool that analyzes your system, detects vulnerabilities, and provides recommendations for improving security.
</p> </p>
<p className="mb-4"> <p className="mb-4">
<strong>Why it's beneficial:</strong> Lynis helps identify security vulnerabilities, configuration errors, and <strong>How it works:</strong> Lynis scans the system and evaluates various security parameters, including:
provides recommendations for system hardening. Regular security audits with Lynis can significantly improve your
system's overall security posture.
</p> </p>
<p className="text-lg mb-2">This adjustment automates the following commands:</p> <ul className="list-disc pl-5 mb-4">
<li>Kernel security and system settings</li>
<li>Authentication policies (SSH, user passwords, etc.)</li>
<li>Network configurations and firewall rules</li>
<li>File permissions and system integrity</li>
<li>Malware detection and system hardening suggestions</li>
</ul>
<p className="text-lg mb-2">This adjustment automates the following command:</p>
<CopyableCode <CopyableCode
code={` code={`
# Install Lynis # Install Lynis
apt-get -y install lynis apt-get -y install lynis
`} `}
/> />
<p className="text-lg mt-4">To run a system security audit, execute:</p>
<CopyableCode
code={`
# Perform a full security audit
lynis audit system
`}
/>
<h3 className="text-xl font-semibold mt-16 mb-4 flex items-center"> <h3 className="text-xl font-semibold mt-16 mb-4 flex items-center">
<StepNumber number={3} /> <StepNumber number={3} />
Protect Web Interface with fail2ban Protect Web Interface with Fail2Ban
</h3> </h3>
<p className="mb-4"> <p className="mb-4">
This optimization installs and configures fail2ban to protect the Proxmox VE web interface from brute-force Fail2Ban enhances security by monitoring login attempts and banning malicious IPs that attempt unauthorized access.
attacks.
</p> </p>
<p className="mb-4"> <p className="mb-4">
<strong>Why it's beneficial:</strong> fail2ban helps prevent unauthorized access attempts by temporarily banning <strong>How it works:</strong> Fail2Ban analyzes logs, detects repeated authentication failures, and automatically bans the source IP address to prevent further attacks.
IP addresses that show malicious signs, such as too many password failures. This adds an extra layer of security
to your Proxmox VE web interface.
</p> </p>
<ul className="list-disc pl-5 mb-4">
<li>Protects the Proxmox VE web interface from brute-force attacks</li>
<li>Prevents unauthorized SSH access by banning repeated failed login attempts</li>
<li>Automatically blocks malicious IPs to reduce attack vectors</li>
</ul>
<p className="text-lg mb-2">This adjustment automates the following commands:</p> <p className="text-lg mb-2">This adjustment automates the following commands:</p>
<CopyableCode <CopyableCode
code={` code={`
# Install fail2ban # Install Fail2Ban
apt-get -y install fail2ban apt-get -y install fail2ban
# Configure Proxmox filter # Configure Proxmox filter to detect failed logins
cat <<EOF > /etc/fail2ban/filter.d/proxmox.conf cat <<EOF > /etc/fail2ban/filter.d/proxmox.conf
[Definition] [Definition]
failregex = pvedaemon\[.*authentication failure; rhost=<HOST> user=.* msg=.* failregex = pvedaemon\[.*authentication failure; rhost=<HOST> user=.* msg=.*
ignoreregex = ignoreregex =
EOF EOF
`}
/>
# Configure Proxmox jail <p className="text-lg mt-4">Define security rules for Proxmox:</p>
<CopyableCode
code={`
# Create a jail configuration for Proxmox
cat <<EOF > /etc/fail2ban/jail.d/proxmox.conf cat <<EOF > /etc/fail2ban/jail.d/proxmox.conf
[proxmox] [proxmox]
enabled = true enabled = true
@ -128,14 +150,20 @@ maxretry = 3
bantime = 3600 bantime = 3600
findtime = 600 findtime = 600
EOF EOF
`}
/>
# Configure general fail2ban settings <p className="text-lg mt-4">Set up global Fail2Ban policies:</p>
<CopyableCode
code={`
# Configure general Fail2Ban settings
cat <<EOF > /etc/fail2ban/jail.local cat <<EOF > /etc/fail2ban/jail.local
[DEFAULT] [DEFAULT]
ignoreip = 127.0.0.1 ignoreip = 127.0.0.1
bantime = 86400 bantime = 86400
maxretry = 2 maxretry = 2
findtime = 1800 findtime = 1800
[ssh-iptables] [ssh-iptables]
enabled = true enabled = true
filter = sshd filter = sshd
@ -145,11 +173,30 @@ maxretry = 2
findtime = 3600 findtime = 3600
bantime = 32400 bantime = 32400
EOF EOF
`}
/>
# Enable and restart fail2ban service <p className="text-lg mt-4">Enable and restart the Fail2Ban service:</p>
<CopyableCode
code={`
# Enable and restart Fail2Ban
systemctl enable fail2ban systemctl enable fail2ban
systemctl restart fail2ban systemctl restart fail2ban
`} `}
/>
<p className="text-lg mt-4">Check active Fail2Ban jails:</p>
<CopyableCode
code={`
# Display Fail2Ban status
fail2ban-client status
# Check status of Proxmox protection
fail2ban-client status proxmox
# Check status of SSH protection
fail2ban-client status ssh-iptables
`}
/> />
<section className="mt-12 p-4 bg-blue-100 rounded-md"> <section className="mt-12 p-4 bg-blue-100 rounded-md">