Hardening Proxmox Server
Secure the Kernel
Harden network via sysctl
echo -e "\n\n# eXtremeSHOK.com Secured\n#IP Spoofing protection\nnet.ipv4.conf.all.rp_filter=1\nnet.ipv4.conf.default.rp_filter=1\n#Ignore ICMP broadcast requests\nnet.ipv4.icmp_echo_ignore_broadcasts=1\n#Disable source packet routing\nnet.ipv4.conf.all.accept_source_route=0\nnet.ipv6.conf.all.accept_source_route=0 \nnet.ipv4.conf.default.accept_source_route=0\nnet.ipv6.conf.default.accept_source_route=0\n#Ignore send redirects\nnet.ipv4.conf.all.send_redirects=0\nnet.ipv4.conf.default.send_redirects=0\n#Block SYN attacks\nnet.ipv4.tcp_syncookies=1\n#Log Martians\nnet.ipv4.conf.all.log_martians=1\nnet.ipv4.icmp_ignore_bogus_error_responses=1\n#Ignore ICMP redirectsv\nnet.ipv4.conf.all.accept_redirects=0\nnet.ipv6.conf.all.accept_redirects=0\nnet.ipv4.conf.default.accept_redirects=0\nnet.ipv6.conf.default.accept_redirects=0\n#Ignore Directed pings\nnet.ipv4.icmp_echo_ignore_all=1" > /etc/sysctl.d/20-extremeshok.conf
sysctl -p /etc/sysctl.d/20-extremeshok.conf
See other example for hardening a wer, mail server: http://www.cyberciti.biz/faq/linux-kernel-etcsysctl-conf-security-hardening/
Prevent IP Spoofing
order hosts,bind
# Machines with multiple IP addresses.
multi on
# Check for IP address spoofing.
nospoof on
Force Portmap to listen on localhost
Should portmap be bound to the loopback address? YES
Restart portmap to apply
service portmap restart
Enable IPTables and IP6Tables for OpenVZ Containers
This will allow containers/guests to run iptables, CSF, APF, UBW.add the missing iptables modules
/etc/init.d/vz restart
Prevent Brute-forcing of logins
install fail2banapt-get install fail2ban
create the proxmox regex file
# Fail2Ban configuration file
#
# Author: eXtremeSHOK.com
#
# $Revision: 201 $
#
[Definition]
# Option: failregex
# Notes.: regex to match the password failure messages in the logfile. The
# host must be matched by a group named "host". The tag "" can # be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P\S+) # Values: TEXT
#
failregex = pvedaemon\[.*authentication failure; rhost=user=.*msg=.* # Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
Create fail2ban config for proxmox
We are also adding SSH and SSH DDOS protections
add (or change if already exist) the following to the bottom of the /etc/fail2ban/jail.local file
##### PROXMOX2: START######
[proxmox2]
enabled = true
port = https,http,8006
filter = proxmox2
logpath = /var/log/daemon.log
maxretry = 5
bantime = 86400 #24hours
##### PROXMOX2: END######
##### SSH: START######
[ssh]
enables = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 5
bantime = 86400 #24hours
##### SSH: END######
##### SSH ANTI-DDOS: START######
[ssh-ddos]
enabled = true
port = ssh
filter = sshd-ddos
logpath = /var/log/auth.log
maxretry = 5
##### SSH ANTI-DDOS: END######
Optional: Test fail2ban
fail2ban-regex /var/log/daemon.log /etc/fail2ban/filter.d/proxmox2.conf
Restart fail2ban to apply the setting
service fail2ban restart
Removing a banned ip
iptables -D fail2ban-proxmox2 -s-j DROP
Viewing banned ip’s and the status of the filter
fail2ban-client status proxmox2
Status for the jail: proxmox2
|- filter
| |- File list: /var/log/daemon.log
| |- Currently failed: 0
| – Total failed: 10
- action
|- Currently banned: 1
| – IP list: 11.22.33.44
– Total banned: 2
Source and thanks to: http://blog.extremeshok.com/?p=810
No hay comentarios:
Publicar un comentario