Security Settings
The Security Settings category focuses on enhancing the security of your Proxmox VE installation. These settings are crucial for protecting your virtualization environment from potential threats and unauthorized access.
Available Optimizations
1Disable portmapper/rpcbind
This optimization disables the portmapper/rpcbind service for improved security.
Why it's beneficial: Disabling unnecessary services like portmapper/rpcbind reduces the attack surface of your system. This service is often not needed in modern environments and can be a potential security risk if left enabled.
This adjustment automates the following commands:
# Disable and stop rpcbind
systemctl disable rpcbind
systemctl stop rpcbind
2Install Lynis Security Tool
Lynis is a comprehensive security auditing tool that analyzes your system, detects vulnerabilities, and provides recommendations for improving security.
How it works: Lynis scans the system and evaluates various security parameters, including:
- Kernel security and system settings
- Authentication policies (SSH, user passwords, etc.)
- Network configurations and firewall rules
- File permissions and system integrity
- Malware detection and system hardening suggestions
This adjustment automates the following command:
# Install Lynis
apt-get -y install lynis
To run a system security audit, execute:
# Perform a full security audit
lynis audit system
3Protect Web Interface with Fail2Ban
Fail2Ban enhances security by monitoring login attempts and banning malicious IPs that attempt unauthorized access.
How it works: Fail2Ban analyzes logs, detects repeated authentication failures, and automatically bans the source IP address to prevent further attacks.
- Protects the Proxmox VE web interface from brute-force attacks
- Prevents unauthorized SSH access by banning repeated failed login attempts
- Automatically blocks malicious IPs to reduce attack vectors
Fail2Ban Configuration Overview
Fail2Ban is configured with the following security policies:
- Ban Duration: 24 hours for SSH and 1 hour for Proxmox
- Max Retries: 2 failed attempts for SSH, 3 for Proxmox
- Find Time: 30 minutes for SSH, 10 minutes for Proxmox
- Log Monitoring:
/var/log/auth.logfor SSH and/var/log/daemon.logfor Proxmox
This adjustment automates the following command:
# Install Fail2Ban
apt-get -y install fail2ban
# Create the Fail2Ban filter for Proxmox
cat <<EOF > /etc/fail2ban/filter.d/proxmox.conf
[Definition]
failregex = pvedaemon\[.*authentication failure; rhost=<HOST> user=.* msg=.*
ignoreregex =
EOF
# Create a jail configuration for Proxmox
cat <<EOF > /etc/fail2ban/jail.d/proxmox.conf
[proxmox]
enabled = true
port = https,http,8006,8007
filter = proxmox
logpath = /var/log/daemon.log
maxretry = 3
bantime = 3600
findtime = 600
EOF
# Configure general Fail2Ban settings
cat <<EOF > /etc/fail2ban/jail.local
[DEFAULT]
ignoreip = 127.0.0.1
bantime = 86400
maxretry = 2
findtime = 1800
[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
logpath = /var/log/auth.log
maxretry = 2
findtime = 3600
bantime = 32400
EOF
# Enable and restart Fail2Ban
systemctl enable fail2ban
systemctl restart fail2ban
Check active Fail2Ban jails:
# Display Fail2Ban status
fail2ban-client status
# Check status of Proxmox protection
fail2ban-client status proxmox
# Check status of SSH protection
fail2ban-client status ssh-iptables
Managing Fail2Ban
You can manually unban an IP if needed:
# Unban an IP from SSH protection
fail2ban-client set ssh-iptables unbanip <IP_ADDRESS>
# Unban an IP from Proxmox protection
fail2ban-client set proxmox unbanip <IP_ADDRESS>
Fail2Ban automatically protect your Proxmox VE and SSH access, reducing the risk of brute-force attacks.
Automatic Application
All of these optimizations are automatically applied when selected in the Security section. This automation ensures that these beneficial settings are applied consistently and correctly, saving time and reducing the potential for human error during manual configuration.