import type { Metadata } from "next" import { Shield } from "lucide-react" import CopyableCode from "@/components/CopyableCode" export const metadata: Metadata = { title: "ProxMenux Post-Install: Security Settings", description: "Comprehensive guide to Security Settings in the ProxMenux post-install script for enhancing Proxmox VE security.", openGraph: { title: "ProxMenux Post-Install: Security Settings", description: "Comprehensive guide to Security Settings in the ProxMenux post-install script for enhancing Proxmox VE security.", type: "article", url: "https://macrimi.github.io/ProxMenux/docs/post-install/security", images: [ { url: "https://macrimi.github.io/ProxMenux/security-settings-image.png", width: 1200, height: 630, alt: "ProxMenux Post-Install Security Settings", }, ], }, twitter: { card: "summary_large_image", title: "ProxMenux Post-Install: Security Settings", description: "Comprehensive guide to Security Settings in the ProxMenux post-install script for enhancing Proxmox VE security.", images: ["https://macrimi.github.io/ProxMenux/security-settings-image.png"], }, } function StepNumber({ number }: { number: number }) { return (
{number}
) } export default function SecuritySettingsPage() { return (

Security Settings

The Security Settings category focuses on enhancing the security of your Proxmox VE installation. These settings are crucial for protecting your virtualization environment from potential threats and unauthorized access.

Available Optimizations

Disable portmapper/rpcbind

This optimization disables the portmapper/rpcbind service for improved security.

Why it's beneficial: Disabling unnecessary services like portmapper/rpcbind reduces the attack surface of your system. This service is often not needed in modern environments and can be a potential security risk if left enabled.

This adjustment automates the following commands:

Install Lynis Security Tool

Lynis is a comprehensive security auditing tool that analyzes your system, detects vulnerabilities, and provides recommendations for improving security.

How it works: Lynis scans the system and evaluates various security parameters, including:

This adjustment automates the following command:

To run a system security audit, execute:

Protect Web Interface with Fail2Ban

Fail2Ban enhances security by monitoring login attempts and banning malicious IPs that attempt unauthorized access.

How it works: Fail2Ban analyzes logs, detects repeated authentication failures, and automatically bans the source IP address to prevent further attacks.

  • Protects the Proxmox VE web interface from brute-force attacks
  • Prevents unauthorized SSH access by banning repeated failed login attempts
  • Automatically blocks malicious IPs to reduce attack vectors

This adjustment automates the following commands:

/etc/fail2ban/filter.d/proxmox.conf [Definition] failregex = pvedaemon\[.*authentication failure; rhost= user=.* msg=.* ignoreregex = EOF `} />

Define security rules for Proxmox:

/etc/fail2ban/jail.d/proxmox.conf [proxmox] enabled = true port = https,http,8006,8007 filter = proxmox logpath = /var/log/daemon.log maxretry = 3 bantime = 3600 findtime = 600 EOF `} />

Set up global Fail2Ban policies:

/etc/fail2ban/jail.local [DEFAULT] ignoreip = 127.0.0.1 bantime = 86400 maxretry = 2 findtime = 1800 [ssh-iptables] enabled = true filter = sshd action = iptables[name=SSH, port=ssh, protocol=tcp] logpath = /var/log/auth.log maxretry = 2 findtime = 3600 bantime = 32400 EOF `} />

Enable and restart the Fail2Ban service:

Check active Fail2Ban jails:

Automatic Application

All of these optimizations are automatically applied when selected in the Security section. This automation ensures that these beneficial settings are applied consistently and correctly, saving time and reducing the potential for human error during manual configuration.

) }