Security Settings

The Security Settings category focuses on enhancing the security of your Proxmox VE installation. These settings are crucial for protecting your virtualization environment from potential threats and unauthorized access.

Available Optimizations

Disable portmapper/rpcbind

This optimization disables the portmapper/rpcbind service for improved security.

Why it's beneficial: Disabling unnecessary services like portmapper/rpcbind reduces the attack surface of your system. This service is often not needed in modern environments and can be a potential security risk if left enabled.

This adjustment automates the following commands:

Install Lynis Security Tool

Lynis is a comprehensive security auditing tool that analyzes your system, detects vulnerabilities, and provides recommendations for improving security.

How it works: Lynis scans the system and evaluates various security parameters, including:

Kernel security and system settings
Authentication policies (SSH, user passwords, etc.)
Network configurations and firewall rules
File permissions and system integrity
Malware detection and system hardening suggestions

This adjustment automates the following command:

To run a system security audit, execute:

Protect Web Interface with Fail2Ban

Fail2Ban enhances security by monitoring login attempts and banning malicious IPs that attempt unauthorized access.

How it works: Fail2Ban analyzes logs, detects repeated authentication failures, and automatically bans the source IP address to prevent further attacks.

Protects the Proxmox VE web interface from brute-force attacks
Prevents unauthorized SSH access by banning repeated failed login attempts
Automatically blocks malicious IPs to reduce attack vectors

Fail2Ban Configuration Overview

Fail2Ban is configured with the following security policies:

Ban Duration: 24 hours for SSH and 1 hour for Proxmox
Max Retries: 2 failed attempts for SSH, 3 for Proxmox
Find Time: 30 minutes for SSH, 10 minutes for Proxmox
Log Monitoring: /var/log/auth.log for SSH and /var/log/daemon.log for Proxmox

Install and configure Fail2Ban with the following commands:

Configure the Proxmox filter to detect failed logins:

/etc/fail2ban/filter.d/proxmox.conf [Definition] failregex = pvedaemon\\[.*authentication failure; rhost= user=.* msg=.* ignoreregex = EOF `} />

Define security rules for Proxmox:

/etc/fail2ban/jail.d/proxmox.conf [proxmox] enabled = true port = https,http,8006,8007 filter = proxmox logpath = /var/log/daemon.log maxretry = 3 bantime = 3600 findtime = 600 EOF `} />

Set up global Fail2Ban policies:

/etc/fail2ban/jail.local [DEFAULT] ignoreip = 127.0.0.1 bantime = 86400 maxretry = 2 findtime = 1800 [ssh-iptables] enabled = true filter = sshd action = iptables[name=SSH, port=ssh, protocol=tcp] logpath = /var/log/auth.log maxretry = 2 findtime = 3600 bantime = 32400 EOF `} />

Enable and restart the Fail2Ban service:

Check active Fail2Ban jails:

Managing Fail2Ban

You can manually unban an IP if needed:

# Unban an IP from Proxmox protection fail2ban-client set proxmox unbanip `} />

Fail2Ban will now automatically protect your Proxmox VE and SSH access, reducing the risk of brute-force attacks.

Automatic Application

All of these optimizations are automatically applied when selected in the Security section. This automation ensures that these beneficial settings are applied consistently and correctly, saving time and reducing the potential for human error during manual configuration.