Remote access to proxmox

Hosting an Evernode involves setting up and maintaining a linux machine which runs the evernode software and participates in network consensus. By participating, you help maintain the network's decentralized infrastructure while potentially earning rewards. Detailed tutorials and community support are available to assist node operators.
Forum rules
Welcome to the Hosting An Evernode Forum! To ensure a positive and productive environment, please adhere to the following guidelines.

Treat all members with respect and courtesy. Post content relevant to hosting an Evernode, avoiding spamming, self-promotion, or irrelevant topics. Aim to provide clear, informative, and constructive contributions. Discussions of illegal illicit activities are strictly prohibited. Protect your privacy and that of others by not sharing personal information publicly and reporting any suspicious activity to moderators. Failure to adhere to these rules may result in warnings, post deletions, or account suspension. Let’s work together to build a supportive and knowledgeable Evernode community!
Post Reply
proxmoxer
Posts: 22
Joined: Sun Apr 06, 2025 9:31 pm

Remote access to proxmox

Post by proxmoxer »

When you open proxmox port for public you also open up a vulnerability, there exist millions of webcrawlers searching for open ports (8006 being one of them).

First strategy to protect yourself is to install fail2ban, it will then block bruteforce attempts after X amount of tries.

1. (tutorial from https://pve.proxmox.com/wiki/Fail2ban )

Code: Select all

apt update
apt install fail2ban
2.

Code: Select all

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
3.
nano /etc/fail2ban/jail.local

4.
Add this to the bottom of the file

Code: Select all

[proxmox]
enabled = true
port = https,http,8006
filter = proxmox
backend = systemd
maxretry = 3
findtime = 2d
bantime = 1h
Save and Exit

5.
nano /etc/fail2ban/filter.d/proxmox.conf

6.
Add this

Code: Select all

[Definition]
failregex = pvedaemon\[.*authentication failure; rhost=<HOST> user=.* msg=.*
ignoreregex =
journalmatch = _SYSTEMD_UNIT=pvedaemon.service
Save and Exit

7.
Restart proxmox service

Code: Select all

systemctl restart fail2ban




An other smart thing to do is to add a route to 8006 in nginx instead of opening the port.

Warning: If you use evrPanel you just need to add the route inside npmplus, you don't need to do anything below. This is for nginx users only. evrPanel users should log into npmplus and just add a route to localip:8006.

1.
sudo nano /etc/nginx/sites-available/proxmox

2.
add

Code: Select all

server {
    listen 80;
    listen [::]:80;

    server_name proxmoxer.domain.tld;

    location / {
        proxy_pass https://10.0.0.2:8006;

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        proxy_ssl_verify off;

        proxy_buffering off;
        proxy_request_buffering off;

        client_max_body_size 0;

        proxy_connect_timeout 60s;
        proxy_send_timeout 3600s;
        proxy_read_timeout 3600s;
        send_timeout 3600s;
    }
}
3.

Code: Select all

sudo ln -s /etc/nginx/sites-available/proxmox /etc/nginx/sites-enabled/proxmox
4.

Code: Select all

sudo nginx -t
5.

Code: Select all

sudo systemctl reload nginx
6.

Code: Select all

sudo apt update
sudo apt install certbot python3-certbot-nginx

sudo certbot --nginx \
  -d proxmoxer.domain.tld \
  --redirect
7.
certbot will now add the ssl and put it into the configuration file, certbot will also monitor the cert and renew it when needed.
Post Reply