How to secure proxmox web ui?

sg flag

How can I best secure Proxmox Web UI?

What I have done:

  • Added SSL
  • Added two-factor authentication

What I have planned:

  • Change default port 8006 to a random port, such as 3462
  • Add tunneling by SSH, and change the SSH port to a random port, such as 3462 (is tunneling required when I have two-factor authentication?)

What else can I do?

ws flag

This question reads rather strangely.

Added SSL

TLS is enabled by default on Proxmox. If you needed to "add" something then something was broken to begin with.

There's no point in provisioning SSH tunneling unless you also block non-local access to the Proxmox port - and when you do that, there's no benefit from changing the port Proxmox is listening on.

is tunneling required when I have two-factor authentication?

You are comparing apples and oranges.

You should start with a security model - who needs access, what are you trying to defend against - and then align your design with that. If you require remote access, nobody else does and ssh key pairs are appropriate for your use-case / will be used then there's not much to be gained from MFA in Proxmox.

Security is about confidentiality. availability and integrity. If you apply every possible access restriction to the target then you increase the risk of compromising the availability.

For a homelab type installation, assuming physical access is not a significant risk factor I would suggest that a more appropriate set of controls would be:

  1. limit access to port 8006 on the Proxmox host to the loopback address
  2. use a complex passwords for the Unix accounts
  3. use ssh forwarding
  4. do not allow password logins or root logins via ssh (i.e. keypairs only)
  5. optionally consider following for ssh access:
  • fail2ban
  • MFA
  • non-standard port
  • port knocking
lindaz avatar
sg flag
can you explain how to limit access to port 8006 on the Proxmox host to the loopback address? Should I use Tailscale?
ws flag
Like ssh, Tailscale provides and alternative, secure route to a service, it DOES NOT CLOSE OFF ACCESS via the insecure route. For that you need to either change the listening interface to the loopback device or restrict access to a link local address via iptables (or both) for the Proxmox web gui.
cn flag

There is no reason to expose any hypervisor web GUI to the Internet if you don't have to. I would suggest using a VPN (like Wireguard), then configuring the web GUI to only listen to IPs originating from the VPN.

If this is what you mean by "tunneling" then yes, that should be enough if you use key-based SSH authentication.

lindaz avatar
sg flag
If I use Proxmox, should I install Tailscale on the host?
pzkpfw avatar
cn flag
Tailscale is just one type of VPN. If you want to use that, sure. It's built on WIreguard and is pretty good from what I've seen, and it would help a lot in securing the web UI as long as you ensure the UI only listens to the "internal" IP in the VPN.
I sit in a Tesla and translated this thread with Ai:


Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.