Introduction

Proxmox is nothing more than a Debian distribution with some additional packages on top of it (including a custom kernel though).
This allows us to apply some basic GNU/Linux hardening to the system, thus acting as an hyper-visor.

During this guide, we’ll go through reverse proxy hardening, RPC / NFS deactivation and IPv6 “soft-disabling”.

These blog post procedures DON’T REPLACE PROPER FIREWALL RULES AT ALL.

The procedure

PVEProxy hardening

The PVEProxy is the component responsible for the Proxmox WEB interface communication.
It’s nothing more that a specific reverse proxy.
Thus, we can apply regular cryptographic hardening (/etc/default/pveproxy) :

CIPHERS="ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256"

# For PVE-Manager >= 5.3 only.
COMPRESSION="0"
HONOR_CIPHER_ORDER="1"

We can also apply some access control rules (/etc/default/pveproxy too) :

DENY_FROM="all"
ALLOW_FROM="YOUR.PRIVATE.IP.RANGE/24,YOUR.HOME.IP.ADDRESS"
POLICY="allow"

# For PVE-Manager >= 6.4 only.
LISTEN_IP="ADMIN.SERVER.IP.ADDRESS"

Disabling RPC / NFS services

If your hyper-visor won’t need running NFS service, it’s safe to disable it.

From /etc/default/nfs-common, set :

NEED_STATD=no

You can also disable RPC services :

systemctl disable --now rpcbind.service rpcbind.socket rpc-statd-notify.service

You only have to reboot now, and you will be able to verify the sockets that are listening with ss -atlnup

IPv6 sockets

You don’t have any IPv6 address, or don’t have a specific need to listen to anything against this protocol ? You can safely disable those sockets.

By default, Postfix is listening to any protocols, let’s disable it (/etc/postfix/main.cf) :

inet_protocols = ipv4

… and then restart the service :

systemctl restart postfix.service

Another IPv6 socket is opened by OpenSSH-Server. Let’s do the same operation (/etc/ssh/sshd_config) :

AddressFamily inet

systemctl restart ssh.service

PVEProxy TLS certificate

If you consider administrating your Proxmox instance from the Web GUI over an insecure network (as Internet), you really should consider using a signed certificate, to prevent MITM attacks.
For this, you can follow the official ACME documentation.

Conclusion

‘hope it helped you !

Here are the references that allow me to perform some tests and write this post :

• Some hardening example for PVE on public IP

• pveproxy(8)

PS : This blog post will be updated (or not) according to the conclusion of this very old issue.
EDIT 2019-03-29 : Updated ! See here for more information.