<div dir="ltr">Hi Adam,<div><br></div><div>Regarding ssh you can configure sshd to accept root login using RSA public key only and use iptables to restrict ssh access to some IPs you trust (if you can afford static IPs).</div>
<div>Regarding the web interface, PVE uses https to encrypt the communication so you shouldn't worry about password eavesdropping (the password should be strong enough to resist to brute force and changed frequently).</div>
<div><br></div><div>Since I never took time to conduct a security review of the scripts that make up the web interface I can't speak about their robustness, but I think people at Proxmox are smart enough to follow all security best practice.</div>
<div style>The web interface is written with Internet exposure in mind; in fact you can configure pools of VMs and define users with different access level on the pools.</div><div style>If I remember correctly some one on this list is already facing their PVE web interface to the Internet and I never heard of any security problem.</div>
<div class="gmail_extra"><br></div><div class="gmail_extra">Sure if you can afford static IPs as the source of the management you can configure iptables to limit web access as well.</div><div class="gmail_extra" style>I don't think that having more than one IP for the PVE host itself can help security; sure you need more IPs to be used on the VMs. Those IP has to be routed to the PVE host that in turn will bridge them to the VMs.</div>
<div class="gmail_extra"><br></div><div class="gmail_extra">I hope you can find this few words helpful.</div><div class="gmail_extra"><br></div><div class="gmail_extra">Cheers,</div><div class="gmail_extra">Luca<br><br><div class="gmail_quote">
On Wed, Jun 5, 2013 at 9:23 AM, Adam Hunt <span dir="ltr"><<a href="mailto:voxadam@gmail.com" target="_blank">voxadam@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><span style="font-family:arial,sans-serif;font-size:13.333333969116211px">Warning: I'm new to Proxmox and pretty new to virtualization in general.</span><div style="font-family:arial,sans-serif;font-size:13.333333969116211px">
<br></div><div style="font-family:arial,sans-serif;font-size:13.333333969116211px">I am looking at using Proxmox on a leased box in a rack somewhere for some personal projects. One thing that I've noticed about Proxmox is the use of root, access is available via both SSH and the web interface. Is this required for Proxmox to function properly? I've always been taught that it's a bad idea to expose root directly via SSH not to mention some web interface.</div>
<div style="font-family:arial,sans-serif;font-size:13.333333969116211px"><br></div><div style="font-family:arial,sans-serif;font-size:13.333333969116211px">If I end up using Proxmox on my leased server what is the best way to secure the interfaces?</div>
<div style="font-family:arial,sans-serif;font-size:13.333333969116211px"><br></div><div style="font-family:arial,sans-serif;font-size:13.333333969116211px">By the way, the leased box I am using only has a single NIC and IP at the moment. I can get more IPs if I have to but I'm limited to a single NIC.</div>
</div>
<br>_______________________________________________<br>
pve-user mailing list<br>
<a href="mailto:pve-user@pve.proxmox.com" target="_blank">pve-user@pve.proxmox.com</a><br>
<a href="http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user" target="_blank">http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user</a><br>
<br></blockquote></div><br></div></div>