{"id":47771478,"url":"https://github.com/HomeSecExplorer/Proxmox-Hardening-Guide","last_synced_at":"2026-04-18T13:00:47.674Z","repository":{"id":316642068,"uuid":"1047884111","full_name":"HomeSecExplorer/Proxmox-Hardening-Guide","owner":"HomeSecExplorer","description":"Security hardening guides for PVE and PBS, built on CIS Debian Benchmark with Proxmox specific best practices.","archived":false,"fork":false,"pushed_at":"2026-01-12T18:14:09.000Z","size":123,"stargazers_count":342,"open_issues_count":0,"forks_count":17,"subscribers_count":8,"default_branch":"main","last_synced_at":"2026-01-12T23:52:47.987Z","etag":null,"topics":["ceph","cis","debian","enterprise","hardening","homelab","pbs","proxmox","proxmox-backup-server","proxmox-ve","pve","security","virtualization","zfs"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/HomeSecExplorer.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG","contributing":"CONTRIBUTING.md","funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null},"funding":{"github":"HomeSecExplorer"}},"created_at":"2025-08-31T13:02:19.000Z","updated_at":"2026-01-12T18:11:11.000Z","dependencies_parsed_at":"2025-09-25T21:24:44.609Z","dependency_job_id":null,"html_url":"https://github.com/HomeSecExplorer/Proxmox-Hardening-Guide","commit_stats":null,"previous_names":["homesecexplorer/proxmox-hardening-guide"],"tags_count":5,"template":false,"template_full_name":null,"purl":"pkg:github/HomeSecExplorer/Proxmox-Hardening-Guide","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/HomeSecExplorer%2FProxmox-Hardening-Guide","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/HomeSecExplorer%2FProxmox-Hardening-Guide/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/HomeSecExplorer%2FProxmox-Hardening-Guide/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/HomeSecExplorer%2FProxmox-Hardening-Guide/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/HomeSecExplorer","download_url":"https://codeload.github.com/HomeSecExplorer/Proxmox-Hardening-Guide/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/HomeSecExplorer%2FProxmox-Hardening-Guide/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31969772,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-18T00:39:45.007Z","status":"online","status_checked_at":"2026-04-18T02:00:07.018Z","response_time":103,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ceph","cis","debian","enterprise","hardening","homelab","pbs","proxmox","proxmox-backup-server","proxmox-ve","pve","security","virtualization","zfs"],"created_at":"2026-04-03T10:00:15.646Z","updated_at":"2026-04-18T13:00:47.667Z","avatar_url":"https://github.com/HomeSecExplorer.png","language":null,"funding_links":["https://github.com/sponsors/HomeSecExplorer"],"categories":["Documentation"],"sub_categories":["macOS"],"readme":"# Proxmox Hardening Guide\n\n[![CC BY 4.0](https://img.shields.io/badge/License-CC%20BY%204.0-green.svg)](LICENSE)\n[![Release](https://img.shields.io/github/v/release/HomeSecExplorer/Proxmox-Hardening-Guide?color=blue)](https://github.com/HomeSecExplorer/Proxmox-Hardening-Guide/releases)\n[![Issues](https://img.shields.io/github/issues/HomeSecExplorer/Proxmox-Hardening-Guide?color=blue)](https://github.com/HomeSecExplorer/Proxmox-Hardening-Guide/issues)\n\n[![Github-sponsors](https://img.shields.io/badge/sponsor-30363D?style=for-the-badge\u0026logo=GitHub-Sponsors\u0026logoColor=#EA4AAA)](https://github.com/sponsors/HomeSecExplorer)\n\n[![PVE9](https://img.shields.io/badge/PVE9-orange)](docs/pve9-hardening-guide.md)\n[![PBS4](https://img.shields.io/badge/PBS4-orange)](docs/pbs4-hardening-guide.md)\n[![PVE8](https://img.shields.io/badge/PVE8-orange)](docs/pve8-hardening-guide.md)\n[![PBS3](https://img.shields.io/badge/PBS3-orange)](docs/pbs3-hardening-guide.md)\n\nThe **Proxmox Hardening Guide** project provides structured, actionable recommendations to secure\n**Proxmox Virtual Environment (PVE 9.x \u0026 8.x)** and **Proxmox Backup Server (PBS 4.x \u0026 3.x)**.\n\nThese guides are designed for system administrators and security engineers who need\n**step-by-step hardening instructions, compliance alignment with the CIS Debian Benchmark, and best practices for enterprise and homelab deployments**.\n\nThey extend the industry-recognized *CIS Debian Benchmark* with Proxmox-specific security tasks, practical examples, and real-world best practices.\n\n[Available Hardening Guides](#available-hardening-guides)\n\n---\n\n## Project Status\n\n\u003e [!WARNING]\n\u003e This project is under active development and some controls are still being validated.\\\n\u003e Your feedback, testing results, and contributions are strongly encouraged to help improve accuracy, completeness, and reliability.\n\n### ToDos\n\nSome steps are flagged with “Controls have **not** yet been validated.” If you have a lab environment, I’d love your help testing these and sharing what you find (successes and issues alike). Thank you!\n\n#### PVE 9 guide - items to validate\n\n- 1.1.5 - Enable Full-Disk Encryption\n- 1.2.1.1 - Enable UEFI Secure Boot\n- 1.2.1.2 - Kernel Lockdown (Integrity Mode)\n- 1.3 - SDN\n- 5.3.2 - Rootkit Detection\n\n#### PBS 4 guide - items to validate\n\n- 1.1.5 - Enable Full-Disk Encryption (including Ceph OSD impact/performance validation)\n- 1.2.1.1 - Enable UEFI Secure Boot\n- 1.2.1.2 - Kernel Lockdown (Integrity Mode)\n- 1.2.4 - ZFS datasets\n- 1.2.5 - SMB/CIFS mount\n- 5.3.2 - Rootkit Detection\n\n#### PVE 8 guide - items to validate\n\n- 1.1.2 - Apply Debian 12 CIS Level 2\n- 1.1.4 - ssh-audit: step 6 (connection rate throttling) on clusters\n- 1.1.5 - Enable Full-Disk Encryption\n- 1.2.1.1 - Enable UEFI Secure Boot\n- 1.2.1.2 - Kernel Lockdown (Integrity Mode)\n- 1.3 - SDN\n- 3.5 - Ceph Messenger Encryption (In-Flight)\n- 5.3.2 - Rootkit Detection\n\n#### PBS 3 guide - items to validate\n\n- 1.1.2 - Apply Debian 12 CIS Level 2\n- 1.1.5 - Enable Full-Disk Encryption (including Ceph OSD impact/performance validation)\n- 1.2.1.1 - Enable UEFI Secure Boot\n- 1.2.1.2 - Kernel Lockdown (Integrity Mode)\n- 1.2.4 - ZFS datasets\n- 1.2.5 - SMB/CIFS mount\n- 5.1.2 - Auditd for /etc/proxmox-backup\n- 5.3.2 - Rootkit Detection\n\n---\n\n## Available Hardening Guides\n\nChoose the guide for your version: PVE 9 hardening, PBS 4 hardening, PVE 8 hardening, or PBS 3 hardening:\n\n| Guide | Product | Guide Version | Path |\n|-------|---------|---------|------|\n| **PVE 9** | Proxmox Virtual Environment 9.x | 0.9.2 - 09 February 2026 | [`docs/pve9-hardening-guide.md`](docs/pve9-hardening-guide.md) |\n| **PBS 4** | Proxmox Backup Server 4.x | 0.9.1 - 12 January 2026 | [`docs/pbs4-hardening-guide.md`](docs/pbs4-hardening-guide.md) |\n| **PVE 8** | Proxmox Virtual Environment 8.x | 0.9.5 - 09 February 2026 | [`docs/pve8-hardening-guide.md`](docs/pve8-hardening-guide.md) |\n| **PBS 3** | Proxmox Backup Server 3.x | 0.9.4 - 12 January 2026 | [`docs/pbs3-hardening-guide.md`](docs/pbs3-hardening-guide.md) |\n\n**Key Benefits:**\n\n- **Security Best Practices for PVE and PBS** - aligned with the *CIS Debian Benchmark* and adapted to virtualization and backup environments.\n- **Step-by-Step Hardening Guides** - clear instructions for system administrators, security engineers, and auditors.\n- **Comprehensive Proxmox Security Coverage** - includes configuration, datastore verification, automated backups, encryption, and disaster recovery testing.\n\n---\n\n## Safety first\n\nBefore you change anything:\n\n- Create a recent backup or snapshot of the node and critical VMs or containers.\n- Schedule a maintenance window so you can reboot if needed.\n- Ensure you have out-of-band access (IPMI, iKVM, physical console).\n- Record your current settings so you can restore them if required.\n\n## Quick Start\n\nClone the repository and open the guide you need:\n\n```bash\ngit clone https://github.com/HomeSecExplorer/proxmox-hardening-guide.git\ncd proxmox-hardening-guide/docs\n```\n\n## How to use these guides\n\n1. **Start in a lab/staging node first** (or a single non-critical host).\n2. Ensure you have **working backups** and **out-of-band/console access** before changing SSH, firewall, boot, or storage settings.\n3. Apply controls **incrementally**:\n   - Do **Level 1** first (lowest risk, highest baseline value).\n   - Move to **Level 2** only when you understand the operational impact.\n   - Apply Level 3 **only when needed**\n4. After each change, **validate service health** (GUI access, SSH, storage, cluster status, backups, VM migration) and keep a rollback path.\n5. Use the **Execution Status** checkboxes to track what’s applied per host, and record deviations with a short note.\n\n---\n\n## Contributing\n\nCommunity collaboration is highly welcome! Please see the detailed instructions in [`CONTRIBUTING.md`](CONTRIBUTING.md)\n\n- Found an issue or have feedback? Open an Issue.\n- Want to contribute improvements? Fork the repository and submit your pull request against the dev branch.\n\n---\n\n## Disclaimer \u0026 Terms of Use\n\n\u003e [!WARNING]\n\u003e ⚠️ **AS‑IS, NO WARRANTY**.\n\nBy using these guides, you agree to:\n\n1. **Responsibility** - You must test and validate each recommendation yourself before applying it.\n2. **No Liability** - The authors and contributors are **not liable** for any direct, indirect, or consequential damages arising from the use of this guidance.\n3. **License** - All content is licensed under **CC BY 4.0** (see [`LICENSE`](LICENSE)).  \n4. **Community Techniques** - Some recommended practices are community-driven and **not officially supported** by Proxmox GmbH. Use at your own risk.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FHomeSecExplorer%2FProxmox-Hardening-Guide","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FHomeSecExplorer%2FProxmox-Hardening-Guide","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FHomeSecExplorer%2FProxmox-Hardening-Guide/lists"}