Got an idea? Nice! π‘ We love hearing what features would make PegaProx better for you.
A friendly reminder: PegaProx is built by volunteers in our spare time. We can't promise timelines or guarantee every feature will be implemented β but every suggestion helps shape the roadmap!
Want to help move things faster?
Describe the feature
Enhancements to (CIS) system hardening
Partially those settings are already addressed within the CIS hardening or Proxmox system defaults:
become: true
tasks:
- name: Apply security hardening sysctl settings
ansible.posix.sysctl:
name: "{{ item.key }}"
value: "{{ item.value }}"
sysctl_set: true
state: present
reload: true
sysctl_file: /etc/sysctl.d/50-security-hardening.conf
loop:
## TCPIP Stack
# ++Enable SYN flood protection
- { key: "net.ipv4.tcp_syncookies", value: "1" }
- { key: "net.ipv4.tcp_max_syn_backlog", value: "4096" }
- { key: "net.ipv4.tcp_synack_retries", value: "2" }
- { key: "net.core.somaxconn", value: "1024" }
# ++Disable source routing (prevents spoofed packets)
- { key: "net.ipv4.conf.all.accept_source_route", value: "0" }
- { key: "net.ipv4.conf.default.accept_source_route", value: "0" }
- { key: "net.ipv6.conf.all.accept_source_route", value: "0" }
- { key: "net.ipv6.conf.default.accept_source_route", value: "0" }
# ++Enable reverse path filtering (anti-spoofing)
- { key: "net.ipv4.conf.all.rp_filter", value: "1" }
- { key: "net.ipv4.conf.default.rp_filter", value: "1" }
# ++Ignore ICMP redirects (prevent MITM)
- { key: "net.ipv4.conf.all.accept_redirects", value: "0" }
- { key: "net.ipv4.conf.default.accept_redirects", value: "0" }
- { key: "net.ipv6.conf.all.accept_redirects", value: "0" }
- { key: "net.ipv6.conf.default.accept_redirects", value: "0" }
# ++Ignore secure ICMP redirects (prevent MITM)
- { key: "net.ipv4.conf.default.secure_redirects", value: "0" }
# ++ Ignore router adviertisements
- { key: "net.ipv6.conf.all.accept_ra", value: "0" }
# ++Do not send ICMP redirects
- { key: "net.ipv4.conf.all.send_redirects", value: "0" }
- { key: "net.ipv4.conf.default.send_redirects", value: "0" }
# ++Deactivate TCP Timestamps
- { key: "net.ipv4.tcp_timestamps", value: "0" }
# ++Log martian packets (impossible source addresses)
- { key: "net.ipv4.conf.all.log_martians", value: "1" }
- { key: "net.ipv4.conf.default.log_martians", value: "1" }
# ++Ignore broadcast ICMP (prevent smurf attacks)
- { key: "net.ipv4.icmp_echo_ignore_broadcasts", value: "1" }
# ++Maximum count of half open connections (IPv4)
- { key: "net.ipv4.tcp_max_syn_backlog", value: "4096" }
# ++Disable IP forwarding (unless this is a router)
- { key: "net.ipv4.ip_forward", value: "0" }
## Kernel
# Restrict kernel pointer exposure
- { key: "kernel.kptr_restrict", value: "2" }
# Restrict dmesg access to root
- { key: "kernel.dmesg_restrict", value: "1" }
# Disable kernel profiling for non-root
- { key: "kernel.perf_event_paranoid", value: "3" }
# Restrict BPF to CAP_SYS_ADMIN
- { key: "kernel.unprivileged_bpf_disabled", value: "1" }
# Restrict ptrace to parent processes
- { key: "kernel.yama.ptrace_scope", value: "1" }
# Disable Core Dump
- { key: "fs.suid_dumpable", value: "0" }
net.ipv4.tcp_syncookies=1
net.ipv4.tcp_max_syn_backlog=4096
net.ipv4.tcp_synack_retries=2
net.core.somaxconn=1024
net.ipv4.conf.all.accept_source_route=0
net.ipv4.conf.default.accept_source_route=0
net.ipv6.conf.all.accept_source_route=0
net.ipv6.conf.default.accept_source_route=0
net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.default.rp_filter=1
net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.default.accept_redirects=0
net.ipv6.conf.all.accept_redirects=0
net.ipv6.conf.default.accept_redirects=0
net.ipv4.conf.default.secure_redirects=0
net.ipv6.conf.all.accept_ra=0
net.ipv4.conf.all.send_redirects=0
net.ipv4.conf.default.send_redirects=0
net.ipv4.tcp_timestamps=0
net.ipv4.conf.all.log_martians=1
net.ipv4.conf.default.log_martians=1
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv4.ip_forward=0
kernel.kptr_restrict=2
kernel.dmesg_restrict=1
kernel.perf_event_paranoid=3
kernel.unprivileged_bpf_disabled=1
kernel.yama.ptrace_scope=1
fs.suid_dumpable=0
WARNING
Applying those setting may brake stuff, so as a supplemental improvement request: Add a method to restore the original state in case something goes wrong.
Further settings:
The settings above is dealing with the tcp timestamp information disclosure, however it does not (cannot) deal with icmp timestamp disclosure, this has to be done by a firewall setting. Therefore I suggest to add the option to implement the following firewall rule, as seen by the proxmox web gui either on node or cluster level:
in DROP [the ip to protect, e.g. the managementinterface] proto: ICMP type: timestamp-request
iptalbles -L:
Chain PVEFW-HOST-IN
DROP icmp -- anywhere anywhere icmp timestamp-request
Check correct behavior with e.g. OpenVAS scanner (or Nexus, etc...)
SSHD hardening
For SSHD the following hardening is suggested:
-
name: configure sshd on targeted servers
hosts: Proxmox
become: true
tasks:
- name: Set SSH KexAlgorithms
lineinfile:
path: /etc/ssh/sshd_config
state: present
line: 'KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256'
- name: Set SSH Ciphers
lineinfile:
path: /etc/ssh/sshd_config
state: present
line: 'Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr'
- name: Set SSH MACs
lineinfile:
path: /etc/ssh/sshd_config
state: present
line: 'MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com'
- name: Set SSH loglevel to verbose
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^#LogLevel INFO'
line: 'LogLevel VERBOSE'
- name: Set log sftp level file access
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^Subsystem\s+sftp\s+/usr/lib/openssh/sftp-server'
line: 'Subsystem sftp /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO'
- name: Disable logins with empty password
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^#PermitEmptyPasswords'
line: 'PermitEmptyPasswords no'
- name: Set SSH Banner
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^#Banner'
line: 'Banner /etc/issue.net'
- name: Disable SSH short modulis for DH
shell: |-
awk '$5 >= 3071' /etc/ssh/moduli > /tmp/moduli &&
mv /tmp/moduli /etc/ssh/moduli
- name: Restart SSHd
service:
name: ssh
state: restarted
Scope
Tis hardenigns have been tested on Proxmox VE 9.1.6 to work for me
Use Case
improve security and compliance of managed hosts
Alternatives considered
Applying hardening via ansible.
How important is this for you?
currently: nice to have...
Checklist
- [x ] I have searched existing issues and discussions to make sure this hasn't been requested before
Describe the feature
Enhancements to (CIS) system hardening
Partially those settings are already addressed within the CIS hardening or Proxmox system defaults:
Further settings:
The settings above is dealing with the tcp timestamp information disclosure, however it does not (cannot) deal with icmp timestamp disclosure, this has to be done by a firewall setting. Therefore I suggest to add the option to implement the following firewall rule, as seen by the proxmox web gui either on node or cluster level:
iptalbles -L:
Check correct behavior with e.g. OpenVAS scanner (or Nexus, etc...)
SSHD hardening
For SSHD the following hardening is suggested:
Scope
Tis hardenigns have been tested on Proxmox VE 9.1.6 to work for me
Use Case
improve security and compliance of managed hosts
Alternatives considered
Applying hardening via ansible.
How important is this for you?
currently: nice to have...
Checklist