OVH Community, your new community space.

Proxmox VE 3.0 + Security


ebony
23-06-2013, 18:59
Quote Originally Posted by Jon
Thanks for the links. After a lot of troubleshooting and server downtime (of which I'm sure OVH were getting annoyed at all the reboot requests) I ended up using UFW (Uncomplicated Firewall). Such a breeze to configure. I highly recommend this for Debian based distros.
i use UFW on my proxmox server very easy and works great. not had a prob since.

Jon
14-06-2013, 22:34
Thanks for the links. After a lot of troubleshooting and server downtime (of which I'm sure OVH were getting annoyed at all the reboot requests) I ended up using UFW (Uncomplicated Firewall). Such a breeze to configure. I highly recommend this for Debian based distros.

marks
14-06-2013, 14:14
whatever the firewall, please follow these instructions here:

http://help.ovh.co.uk/firewall

to make it work with our monitoring system.

cartwright118
14-06-2013, 12:26
Myatu (A user on this forum) has wrote a very good guide on how to do this. I have used it multiple times and never ran into any issues.

http://myatus.com/p/guide-firewall-a...ending-its-us/

Give that a go

Christian

raxxeh
14-06-2013, 00:46
just use iptables and drop the ports for everyone but your ip.

Jon
14-06-2013, 00:23
Hi all,

I'm having some difficulty setting up a shorewall firewall on a Proxmox VE dedicated server. Has anybody got any success stories in setting up a firewall on such a host?

A quick nmap shows these ports open:

Code:
Starting Nmap 6.00 ( http://nmap.org ) at 2013-06-13 15:10 PDT
Nmap scan report for X.X.X.X
Host is up (0.061s latency).
Not shown: 997 closed ports
PORT    STATE    SERVICE
22/tcp  open     ssh
111/tcp open     rpcbind
445/tcp filtered microsoft-ds
8006/tcp open  unknown
56885/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 8.33 seconds
I understand ports 22 (SSH) and 8006 (Web GUI) being open, but why the need for 111, 445 and 56885? Unless Proxmox is immune to security issues I would prefer to lock things down somewhat and I'm sure you would agree.

I used this as somewhat of a loose guide in understanding Shorewall as it relates to Proxmox and to configure my host.

My understanding is that in order for Shorewall to work on Proxmox you have to disable the vmbr0 -> eth0 bridge in order for proxyarp to take effect. I attempted to do this and upon restarting the host became unreachable and I had to boot from the rescue-pro option, mount / and edit the interfaces file to get it back in working order. So I don't believe that this is an option.

Can anybody point me in the right direction, I *think* I understand Shorewall but could definitely use some advice from your experience and existing setups.