d-bis/proxmox
4
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
master
proxmox/scripts/proxmox-security-hardening.sh.bak
defiQUG fbda1b4beb
Some checks failed
Deploy to Phoenix / deploy (push) Has been cancelled
Details
docs: Ledger Live integration, contract deploy learnings, NEXT_STEPS updates 
- ADD_CHAIN138_TO_LEDGER_LIVE: Ledger form done; public code review repo bis-innovations/LedgerLive; init/push commands
- CONTRACT_DEPLOYMENT_RUNBOOK: Chain 138 gas price 1 gwei, 36-addr check, TransactionMirror workaround
- CONTRACT_*: AddressMapper, MirrorManager deployed 2026-02-12; 36-address on-chain check
- NEXT_STEPS_FOR_YOU: Ledger done; steps completable now (no LAN); run-completable-tasks-from-anywhere
- MASTER_INDEX, OPERATOR_OPTIONAL, SMART_CONTRACTS_INVENTORY_SIMPLE: updates
- LEDGER_BLOCKCHAIN_INTEGRATION_COMPLETE: bis-innovations/LedgerLive reference

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-02-12 15:46:57 -08:00

122 lines
3.5 KiB
Bash
Raw Permalink Blame History

#!/bin/bash
# Proxmox Security Hardening Script
# Implements security best practices for Proxmox hosts
set -euo pipefail
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
source "$SCRIPT_DIR/load-physical-inventory.sh" 2>/dev/null || true
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
CYAN='\033[0;36m'
NC='\033[0m'
log_info() { echo -e "${BLUE}[INFO]${NC} $1"; }
log_success() { echo -e "${GREEN}[✓]${NC} $1"; }
log_warn() { echo -e "${YELLOW}[⚠]${NC} $1"; }
log_error() { echo -e "${RED}[✗]${NC} $1"; }
log_section() { echo -e "\n${CYAN}=== $1 ===${NC}\n"; }
# Hosts
declare -A HOSTS
HOSTS[r630-01]="${PROXMOX_HOST_R630_01:-192.168.11.11}:${PROXMOX_PASS_R630_01:-password}"
HOSTS[r630-02]="${PROXMOX_HOST_R630_02:-192.168.11.12}:${PROXMOX_PASS_R630_02:-password}"
log_section "Proxmox Security Hardening"
log_warn "This script will:"
log_warn "1. Review current security settings"
log_warn "2. Provide recommendations"
log_warn "3. Optionally apply security improvements"
echo ""
read -p "Continue with security review? (yes/no): " confirm
if [[ "$confirm" != "yes" ]]; then
log_info "Security review cancelled."
exit 0
fi
# Security Review
for hostname in "${!HOSTS[@]}"; do
ip="${HOSTS[$hostname]%%:*}"
password="${HOSTS[$hostname]#*:}"
log_section "Security Review: $hostname ($ip)"
sshpass -p "$password" ssh -o StrictHostKeyChecking=no root@"$ip" bash <<'ENDSSH' 2>/dev/null || {
log_error "Could not connect to ${hostname}"
continue
}
echo "=== SSH Configuration ==="
grep -E "^PermitRootLogin|^PasswordAuthentication|^PubkeyAuthentication" /etc/ssh/sshd_config 2>/dev/null || echo "SSH config not readable"
echo ""
echo "=== Firewall Status ==="
if command -v pve-firewall >/dev/null 2>&1; then
pve-firewall status 2>/dev/null || echo "Firewall status unknown"
else
echo "pve-firewall not available"
fi
echo ""
echo "=== Failed Login Attempts ==="
lastb 2>/dev/null | head -5 || echo "No failed login records"
echo ""
echo "=== Recent Logins ==="
last -5 2>/dev/null | head -5 || echo "No recent login records"
echo ""
echo "=== User Accounts ==="
awk -F: '$3 == 0 {print $1}' /etc/passwd
echo ""
echo "=== Sudo Configuration ==="
if [ -f /etc/sudoers ]; then
echo "sudoers file exists"
grep -v "^#" /etc/sudoers | grep -v "^$" | head -5 || echo "No sudo rules found"
fi
echo ""
echo "=== Proxmox API Access ==="
pveum user list 2>/dev/null | head -10 || echo "Cannot list users"
echo ""
ENDSSH
done
log_section "Security Recommendations"
cat <<'RECOMMENDATIONS'
1. SSH Security:
- Disable root password login (use SSH keys)
- Change default passwords
- Enable key-based authentication only
2. Firewall:
- Enable pve-firewall
- Restrict access to Proxmox web interface (8006)
- Only allow necessary ports
3. User Management:
- Create non-root users with sudo
- Use Proxmox roles and permissions
- Review API tokens regularly
4. Updates:
- Keep Proxmox and packages updated
- Enable automatic security updates
- Monitor security advisories
5. Monitoring:
- Monitor failed login attempts
- Set up log aggregation
- Alert on security events
RECOMMENDATIONS
log_section "Security Review Complete"
log_info "Review the output above and implement recommendations as needed"
Reference in New Issue View Git Blame Copy Permalink