Securing Proxmox Home Lab: A Step-by-Step Guide
To better understand Proxmox features and capabilities, new users prefer to build a test environment using a Proxmox host called a Proxmox home lab. It is necessary to ensure proper security measures for your Proxmox home lab setup. This blog post covers the Proxmox security best practices you should implement to prevent data loss and protect against cyber threats.
Why Securing Proxmox Home Lab is Essential
Without proper security measures, your Proxmox environment can become vulnerable to cyber threats, data breaches and unauthorized access. Proxmox home lab security is critical for personal and professional purposes. Unauthorized users accessing a Proxmox host can threaten the host, virtual machines, NAS devices and other hosts connected to the network. Unauthorized access can lead to malware and ransomware infections, causing data leaks and loss.
As Proxmox hosts usually run on physical hardware, attackers can use these hardware resources to mine cryptocurrency, conduct other cybercriminal activities, make a Proxmox host part of a botnet, run malicious scripts, etc. These factors can significantly reduce the performance of the host and virtual machines.
Essential Security Measures for Proxmox
To reduce the risks of unauthorized access to a Proxmox home lab, you should understand how to secure the Proxmox environment and implement the essential security practices.
Set strong passwords and enable 2FA
Using strong passwords for administrative accounts is the first line of defense. Use unique passwords with 8 characters or more. The password should contain lowercase and uppercase letters, digits and special characters. You can use passphrases that meet these requirements to make it easier to remember. A strong password that meets the complexity requirements is a barrier for attackers since brute force attacks cannot easily hack it.
For enhanced security, you can configure two-factor authentication (multi-factor authentication, MFA or 2FA). Proxmox supports configuring two-factor authentication in multiple ways, such as using a Time-based One-Time Password (TOTP) or YubiKey OTP. You can edit authentication settings in Permissions > Two Factor in the Proxmox VE web interface.
Harden SSH access
Proxmox management is performed via the graphical web user interface, but the most detailed configuration can be done in the command line via SSH connection. An SSH server is available on a Proxmox host, similar to that on Linux machines for host management. If attackers can gain SSH access to the host, they can get full access and run malware.
You can implement additional security measures to reduce the risk of unauthorized access. For example, you can change the standard SSH port (22) to a custom port (9522). Disable root logins and use sudo to get administrative privileges. Using public keys instead of passwords to log in via SSH requires a more complex configuration but can provide better security.
Implement VLANs for network segmentation
You should consider configuring a VLAN if you want to connect any device that can be vulnerable to a network connected to a Proxmox host or VMs. VLANs are used for network segmentation on the second layer of the OSI model, allowing you to logically separate devices in the same physical network.
Examples of VLANs in Proxmox VE used for a home lab include:
- Management VLAN: Only for Proxmox GUI, SSH and administrative tools.
- VM VLANs: For specific workloads like web servers, databases or development environments.
- Storage VLAN: Dedicated to NAS, NFS, iSCSI or Proxmox Backup Server.
- IoT VLAN: Segregate smart home devices from critical infrastructure.
Using VLANs minimizes the attack surface and provides the following advantages:
- Limits the spread of malware across different VLANs.
- Prevents compromised VMs from accessing Proxmox management.
- Enforces strict access control between services.
For example, if malware infects a VM connected to VLAN 20 and spreads over the network, it cannot access the Proxmox host management interface connected to VLAN 10.
It is recommended that you configure the Proxmox firewall and firewall rules on the third layer of the OSI model in addition to configuring VLANs on the second layer.
- Allow SSH access to Proxmox only from the Admin VLAN 10 (192.168.10.0/24).
- Deny all communications between the Guest VLAN 30 (192.168.30.0/24) and the Proxmox management VLAN.
- Permit NAS access only to VMs that require it, not the entire network.
An example of a VLAN architecture for a Proxmox home lab is shown in the table.
VLAN ID | Purpose | Subnet | Access |
10 | Management | 192.168.10.0/24 | Proxmox GUI, SSH, Hypervisor Management |
20 | Server/VM Network | 192.168.20.0/24 | Web servers, app servers, database VMs |
30 | Guest VLAN | 192.168.30.0/24 | Devices with minimal trust (guest laptops, IoT) |
40 | Storage VLAN | 192.168.40.0/24 | NFS, iSCSI, NAS, Proxmox Backup Server |
50 | DMZ (Public-facing) | 192.168.50.0/24 | Public web servers, reverse proxies |
Use a managed switch to create VLANs and tag ports connected to Proxmox. VLANs can be created in the Proxmox network configuration by editing /etc/network/interfaces
Below is an example of the configuration file content to create VLANs on bridged interfaces:
auto vmbr0
iface vmbr0 inet manual
bridge-ports eno1
bridge-stp off
bridge-fd 0
# Management VLAN (ID 10)
auto vmbr0.10
iface vmbr0.10 inet static
address 192.168.10.2/24
vlan-raw-device vmbr0
# VM VLAN (ID 20)
auto vmbr0.20
iface vmbr0.20 inet static
address 192.168.20.2/24
vlan-raw-device vmbr0
Restrict unnecessary port access
Attackers can exploit open ports for different services to access a Proxmox host via existing vulnerabilities. Close access via unnecessary ports by using the firewall or restrict access to the Proxmox IP address and specific ports only to allow trusted IP addresses defined manually. Since Proxmox is a Linux-based system, Proxmox VE uses a powerful iptables-based firewall. In case you’re using a Proxmox cluster, the firewall stores the configuration and runs on each cluster node.
To access the Proxmox firewall configuration in the Proxmox VE web interface, go to Datacenter > Firewall > Security rules and add a new Group with custom firewall rules.
Set up a firewall or router VM
Running the firewall on a Proxmox host or cluster can protect more than just the Proxmox host(s) in a Proxmox home lab. You can set up a dedicated VM used for firewall tasks to protect the entire network and all connected devices. This setup is commonly referred to as a “virtual firewall” or “firewall VM” architecture. Popular firewall solutions like pfSense, OPNsense or Linux-based firewalls such as iptables can be deployed in this way.
Note that this Proxmox home lab setup with a firewall VM could be convenient if the Proxmox host is running continuously. If it’s turned off periodically, the firewall VM used for the entire network is also powered off. This can cause issues if the firewall VM is used for internet access for all devices in the network (in this case, using a physical device configured as a firewall may be more convenient). You should examine the advantages and disadvantages of this configuration for your environment before deciding whether to use the firewall VM.
Encrypt ZFS disks for data protection
If you use the ZFS file system on a Proxmox host and need the highest security level, consider enabling ZFS encryption for Proxmox to encrypt storage pools and prevent unauthorized access to disk drives with data. Be careful before performing any operations with disks and file systems. Back up important data before changing the storage configuration
An example of encrypting a ZFS pool on a Proxmox host:
zfs create pool-name/safe -o encryption=on -o keyformat=passphrase
Never expose Proxmox to the public internet
Don’t enable public access to a Proxmox host from the internet. If you need to provide access to the Proxmox host from outside locations, configure the firewall to allow access from specific IP addresses to your Proxmox host by explicitly defining IP addresses and port numbers. You can use port forwarding on the firewall for this purpose. Alternatively, configure a VPN server in your environment where a Proxmox home lab is located and use a VPN connection to access a Proxmox host from external networks.
Monitoring and Auditing Proxmox Security
Monitoring Proxmox hosts in a home lab can help improve the overall security level. Monitor the logs on a Proxmox host and keep an eye on CPU, RAM and disk usage.
Ensure that built-in Proxmox logs are enabled:
- Syslog: /var/log/syslog – General system logs.
- Authentication: /var/log/auth.log – Login attempts via SSH and GUI.
- Proxmox-specific logs: /var/log/pve/ – Logs related to Proxmox services.
Additionally, you can use special centralized monitoring tools (free or paid solutions) to monitor Proxmox hosts and guest operating systems on virtual machines. Configure alerts and notifications to quickly fix possible issues as soon as possible.
Pay attention to the following conditions when configuring automatic authentications:
- More than 5 failed SSH login attempts within 5 minutes.
- A VM’s CPU usage stays above 90% for over 10 minutes.
- Detecting an unexpected open port on the Proxmox host.
Perform periodic audits and security scans. Install security patches and updates regularly to fix known vulnerabilities. Inspect firewall rules to ensure they are optimal, considering the latest infrastructure changes.
Protecting Proxmox Backups from Ransomware
Proxmox backups allow you to protect data in a Proxmox virtual environment. Regularly back up virtual machines and store backups in a safe place. If ransomware infects the VMs and encrypts data irreversibly, you can recover your backups to avoid data loss. However, backups are also a target for ransomware. Ensure that only authorized users can access backup storage and applications.
Use air-gapped storage and backup immutability to ensure optimal ransomware protection for your Proxmox home lab and Proxmox backups. Air-gapped storage can be a physically disconnected hard disk drive (HDD), optical disc, tape cartridge, etc. Backup immutability is a feature that uses the write-once-read-many (WORM) approach. Once data is written, it cannot be modified or deleted until the immutability period expires.
NAKIVO Backup & Replication is a dedicated data protection solution that supports Proxmox backup for virtual machines and immutability. Immutable backups can be configured in local backup repositories attached to Linux Transporters, Amazon S3, the cloud and S3-compatible object storage.
Conclusion
Efficient Proxmox security measures include a strong authentication policy, network segmentation, access restriction in the firewall, Proxmox SSH security, monitoring the environment, data backup and ransomware protection. Implement these measures in your Proxmox in a lab environment to reduce the risk of malware infections and prevent data loss. Use NAKIVO Backup & Replication to back up Proxmox VMs and protect the backups against ransomware using immutability.