Proxmox VE Security Hardening Guide

Why Harden Proxmox?

A default Proxmox VE installation is functional but not hardened. It allows root SSH login with a password, has no intrusion detection, and runs services that may not be needed. If your Proxmox host is exposed to the network — especially if remotely accessible — hardening is essential. These steps reduce the attack surface and protect your hypervisor, which controls all your VMs and data.

SSH Key-Only Authentication

Disable password-based SSH login and require SSH keys instead. This eliminates brute-force password attacks entirely:

# Generate an SSH key pair on your workstation (if you do not have one):
ssh-keygen -t ed25519 -C "your-email@example.com"

# Copy the public key to the Proxmox host:
ssh-copy-id root@your-proxmox-ip

# Test that key-based login works before disabling passwords:
ssh root@your-proxmox-ip

# Now disable password authentication:
nano /etc/ssh/sshd_config

# Set these values:
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM yes
PermitRootLogin prohibit-password

# Restart SSH:
systemctl restart sshd

Keep your SSH session open while testing in a second terminal. If key authentication fails, you can still fix the config through the open session or the Proxmox web console.

Disable Root Password Login

After confirming SSH key login works, you can optionally create a non-root admin user for Proxmox and limit root access further:

# Create a Linux user for administration:
useradd -m -s /bin/bash pvadmin
passwd pvadmin

# Add to sudo group:
usermod -aG sudo pvadmin

# Create a Proxmox user and assign Administrator role:
pveum useradd pvadmin@pam
pveum aclmod / -user pvadmin@pam -role Administrator

# You can now log into the web UI as pvadmin@pam

Configure the Proxmox Firewall

Proxmox has a built-in firewall at the datacenter, host, and VM levels. Enable it at the datacenter level and create restrictive rules:

# Enable the firewall at datacenter level:
# Edit /etc/pve/firewall/cluster.fw

[OPTIONS]
enable: 1
policy_in: DROP
policy_out: ACCEPT

[RULES]
IN ACCEPT -p tcp -dport 22 -source 10.0.0.0/24 -log nolog   # SSH from LAN
IN ACCEPT -p tcp -dport 8006 -source 10.0.0.0/24 -log nolog  # Web UI from LAN
IN ACCEPT -p tcp -dport 3128 -log nolog                        # SPICE proxy
IN ACCEPT -p udp -dport 5405:5412 -log nolog                   # Corosync (cluster)
IN ACCEPT -p tcp -dport 60000:60050 -log nolog                 # Live migration

Enable the firewall on each host node as well:

# /etc/pve/nodes/pve1/host.fw
[OPTIONS]
enable: 1

Install and Configure Fail2ban

Fail2ban monitors log files and bans IPs that show malicious signs (repeated failed logins):

# Install fail2ban:
apt update && apt install fail2ban -y

# Create a local config (do not edit the default):
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
nano /etc/fail2ban/jail.local

# Enable the SSH jail:
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 3600
findtime = 600

# Start and enable:
systemctl enable fail2ban
systemctl start fail2ban

# Check banned IPs:
fail2ban-client status sshd

Disable Unused Ports and Services

Review running services and disable anything you do not need:

# List listening ports:
ss -tlnp

# Common services to evaluate:
# - rpcbind (port 111): Disable if not using NFS
systemctl disable --now rpcbind rpcbind.socket

# - postfix (port 25): Keep only if you need email notifications
# If not needed:
systemctl disable --now postfix

# Disable the enterprise repository if you do not have a subscription
# (prevents apt errors, not a security issue but reduces noise):
# Comment out or remove /etc/apt/sources.list.d/pve-enterprise.list

Enable Automatic Security Updates

Install unattended-upgrades to automatically apply security patches:

# Install:
apt install unattended-upgrades -y

# Configure:
nano /etc/apt/apt.conf.d/50unattended-upgrades

# Ensure these origins are enabled:
Unattended-Upgrade::Allowed-Origins {
    "${distro_id}:${distro_codename}-security";
};

# Enable automatic updates:
dpkg-reconfigure -plow unattended-upgrades

# Verify it is active:
systemctl status unattended-upgrades

Additional Hardening Steps

• Enable two-factor authentication in the Proxmox web UI for all admin accounts (Datacenter > Permissions > Two Factor).
• Keep Proxmox updated: Run apt update && apt dist-upgrade regularly.
• Use HTTPS only: The Proxmox web UI uses HTTPS by default on port 8006. Never expose port 8006 directly to the internet — use a VPN.
• Audit user permissions: Follow the principle of least privilege when creating Proxmox users and API tokens.

After hardening your Proxmox server, you will want to keep an eye on its status without needing direct SSH access for every check. ProxmoxR provides a secure, read-at-a-glance mobile dashboard for monitoring node health, running VMs, and resource usage — complementing your hardened setup with convenient remote visibility.

Summary

Hardening Proxmox VE involves layering multiple defenses: SSH key-only authentication, firewall rules that restrict access to trusted networks, fail2ban for intrusion prevention, disabling unused services, and automatic security updates. None of these steps are individually complex, but together they significantly reduce your attack surface. Apply these measures before exposing your Proxmox server to any untrusted network.