Remote access to proxmox
Posted: Fri Jul 17, 2026 5:40 pm
When you open proxmox port for public you also open up a vulnerability, there exist millions of webcrawlers searching for open ports (8006 being one of them).
First strategy to protect yourself is to install fail2ban, it will then block bruteforce attempts after X amount of tries.
1. (tutorial from https://pve.proxmox.com/wiki/Fail2ban )
2.
3.
nano /etc/fail2ban/jail.local
4.
Add this to the bottom of the file
Save and Exit
5.
nano /etc/fail2ban/filter.d/proxmox.conf
6.
Add this
Save and Exit
7.
Restart proxmox service
An other smart thing to do is to add a route to 8006 in nginx instead of opening the port.
Warning: If you use evrPanel you just need to add the route inside npmplus, you don't need to do anything below. This is for nginx users only. evrPanel users should log into npmplus and just add a route to localip:8006.
1.
sudo nano /etc/nginx/sites-available/proxmox
2.
add
3.
4.
5.
6.
7.
certbot will now add the ssl and put it into the configuration file, certbot will also monitor the cert and renew it when needed.
First strategy to protect yourself is to install fail2ban, it will then block bruteforce attempts after X amount of tries.
1. (tutorial from https://pve.proxmox.com/wiki/Fail2ban )
Code: Select all
apt update
apt install fail2banCode: Select all
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.localnano /etc/fail2ban/jail.local
4.
Add this to the bottom of the file
Code: Select all
[proxmox]
enabled = true
port = https,http,8006
filter = proxmox
backend = systemd
maxretry = 3
findtime = 2d
bantime = 1h5.
nano /etc/fail2ban/filter.d/proxmox.conf
6.
Add this
Code: Select all
[Definition]
failregex = pvedaemon\[.*authentication failure; rhost=<HOST> user=.* msg=.*
ignoreregex =
journalmatch = _SYSTEMD_UNIT=pvedaemon.service7.
Restart proxmox service
Code: Select all
systemctl restart fail2banAn other smart thing to do is to add a route to 8006 in nginx instead of opening the port.
Warning: If you use evrPanel you just need to add the route inside npmplus, you don't need to do anything below. This is for nginx users only. evrPanel users should log into npmplus and just add a route to localip:8006.
1.
sudo nano /etc/nginx/sites-available/proxmox
2.
add
Code: Select all
server {
listen 80;
listen [::]:80;
server_name proxmoxer.domain.tld;
location / {
proxy_pass https://10.0.0.2:8006;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_ssl_verify off;
proxy_buffering off;
proxy_request_buffering off;
client_max_body_size 0;
proxy_connect_timeout 60s;
proxy_send_timeout 3600s;
proxy_read_timeout 3600s;
send_timeout 3600s;
}
}Code: Select all
sudo ln -s /etc/nginx/sites-available/proxmox /etc/nginx/sites-enabled/proxmoxCode: Select all
sudo nginx -tCode: Select all
sudo systemctl reload nginxCode: Select all
sudo apt update
sudo apt install certbot python3-certbot-nginx
sudo certbot --nginx \
-d proxmoxer.domain.tld \
--redirectcertbot will now add the ssl and put it into the configuration file, certbot will also monitor the cert and renew it when needed.