[PVE-User] Security question

Luca Fornasari luca.fornasari at gmail.com
Wed Jun 5 10:01:47 CEST 2013


Hi Adam,

Regarding ssh you can configure sshd to accept root login using RSA public
key only and use iptables to restrict ssh access to some IPs you trust (if
you can afford static IPs).
Regarding the web interface, PVE uses https to encrypt the communication so
you shouldn't worry about password eavesdropping (the password should be
strong enough to resist to brute force and changed frequently).

Since I never took time to conduct a security review of the scripts that
make up the web interface I can't speak about their robustness, but I think
people at Proxmox are smart enough to follow all security best practice.
The web interface is written with Internet exposure in mind; in fact you
can configure pools of VMs and define users with different access level on
the pools.
If I remember correctly some one on this list is already facing their PVE
web interface to the Internet and I never heard of any security problem.

Sure if you can afford static IPs as the source of the management you can
configure iptables to limit web access as well.
I don't think that having more than one IP for the PVE host itself can help
security; sure you need more IPs to be used on the VMs. Those IP has to be
routed to the PVE host that in turn will bridge them to the VMs.

I hope you can find this few words helpful.

Cheers,
Luca

On Wed, Jun 5, 2013 at 9:23 AM, Adam Hunt <voxadam at gmail.com> wrote:

> Warning: I'm new to Proxmox and pretty new to virtualization in general.
>
> I am looking at using Proxmox on a leased box in a rack somewhere for some
> personal projects. One thing that I've noticed about Proxmox is the use of
> root, access is available via both SSH and the web interface. Is this
> required for Proxmox to function properly? I've always been taught that
> it's a bad idea to expose root directly via SSH not to mention some web
> interface.
>
> If I end up using Proxmox on my leased server what is the best way to
> secure the interfaces?
>
> By the way, the leased box I am using only has a single NIC and IP at the
> moment. I can get more IPs if I have to but I'm limited to a single NIC.
>
> _______________________________________________
> pve-user mailing list
> pve-user at pve.proxmox.com
> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.proxmox.com/pipermail/pve-user/attachments/20130605/dddc5af5/attachment.htm>


More information about the pve-user mailing list