Page 1 of 1

Remote access to proxmox

Posted: Fri Jul 17, 2026 5:40 pm
by proxmoxer
When you open proxmox port for public you also open up a vulnerability, there exist millions of webcrawlers searching for open ports (8006 being one of them).

First strategy to protect yourself is to install fail2ban, it will then block bruteforce attempts after X amount of tries.

1. (tutorial from https://pve.proxmox.com/wiki/Fail2ban )

Code: Select all

apt update
apt install fail2ban
2.

Code: Select all

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
3.
nano /etc/fail2ban/jail.local

4.
Add this to the bottom of the file

Code: Select all

[proxmox]
enabled = true
port = https,http,8006
filter = proxmox
backend = systemd
maxretry = 3
findtime = 2d
bantime = 1h
Save and Exit

5.
nano /etc/fail2ban/filter.d/proxmox.conf

6.
Add this

Code: Select all

[Definition]
failregex = pvedaemon\[.*authentication failure; rhost=<HOST> user=.* msg=.*
ignoreregex =
journalmatch = _SYSTEMD_UNIT=pvedaemon.service
Save and Exit

7.
Restart proxmox service

Code: Select all

systemctl restart fail2ban




An other smart thing to do is to add a route to 8006 in nginx instead of opening the port.

Warning: If you use evrPanel you just need to add the route inside npmplus, you don't need to do anything below. This is for nginx users only. evrPanel users should log into npmplus and just add a route to localip:8006.

1.
sudo nano /etc/nginx/sites-available/proxmox

2.
add

Code: Select all

server {
    listen 80;
    listen [::]:80;

    server_name proxmoxer.domain.tld;

    location / {
        proxy_pass https://10.0.0.2:8006;

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        proxy_ssl_verify off;

        proxy_buffering off;
        proxy_request_buffering off;

        client_max_body_size 0;

        proxy_connect_timeout 60s;
        proxy_send_timeout 3600s;
        proxy_read_timeout 3600s;
        send_timeout 3600s;
    }
}
3.

Code: Select all

sudo ln -s /etc/nginx/sites-available/proxmox /etc/nginx/sites-enabled/proxmox
4.

Code: Select all

sudo nginx -t
5.

Code: Select all

sudo systemctl reload nginx
6.

Code: Select all

sudo apt update
sudo apt install certbot python3-certbot-nginx

sudo certbot --nginx \
  -d proxmoxer.domain.tld \
  --redirect
7.
certbot will now add the ssl and put it into the configuration file, certbot will also monitor the cert and renew it when needed.