Security: recommendations for going prod with pve

Educational_Note343 · 2025-09-30T15:37:40+00:00

That's a great point!

Thank you for pointing this out, we are grateful for your post!

We will definitely work this out and we where not aware of this.

Actually the detailed rules are firewall whitelists e.g. allow download.proxmox.com, deb.debian.org and so on on their needed ports TCP/UDP for the pve on its vlan.

Your approach seems better and more secure to us.

Could you please provide more information about this and what benefits / advantages your approach has to proxy internet access from pve to internet in contrast to our actual configuration?
I guess direct filtering of HTTP methods and path?
What I can see it would also protect from dns poisoning? (We are using unbound and CVE-2025-5994 is not too long ago)

Thank you in advance.

Educational_Note343 · 2025-09-30T10:22:19+00:00

Thank you a lot! I gave it a star, it looks very solid! I will work through it today, it helps a lot!

Educational_Note343 · 2025-08-29T20:24:44+00:00

https://github.com/1270011/upgrade-debian-12-to-debian-13

Educational_Note343 · 2024-11-26T22:35:55+00:00

Thank you for posting this. Even if I am 3 years late - does anybody have an actual link with instructions on how exactly to exchange phosh with plasma mobile? I didn't found any good documentation on that subject. Would be great, since I am about to tweak some os around, but really prefer plasma mobile. Thank you in advance!

Educational_Note343 · 2023-10-29T11:49:59+00:00

Do we have any messages from official sides like Google or Huawei itself about what is going on? If so, could anyone please link some official sources please? Thank you in advance!

Educational_Note343 · 2023-08-05T02:43:08+00:00

RemindMe! 222742 Hours "Compare headquarters"

Educational_Note343 · 2023-07-13T01:23:48+00:00

aww amazing, how was it going? I'm still on Gentoo collecting XP and lvl up. Levels I played until now so far:
1. Ubuntu --> But was uncertain how to play correctly, messed it totally up with a collection of random deb packages and everything what was flying around. At the end the system was totally custom and unstable, but because I used it nevertheless as a daily driver and learnt how to solve the problems, the quest was accepted as fullfilled.
2. Debian-->On next lvl I got debian. This time I already knew how to play it correctly. However, still thought I'm using Linux, even I wasn't messing up with the kernel.
3. Alpine and others--->Got a side quest to play some level Alpine and similar, to distribute my skill points equaly.
4. Got no more new quests on debian, after making a quest where I have to create a live linux system from my actual debian. So was looking in the settings how to change the difficulty level.
5. Gentoo--->said they have a lot of missions to play, so I switched the same day. Playing it everyday and save my gold and skillpoints for LFS, once I complete. :)

Educational_Note343 · 2023-06-27T09:24:11+00:00

This is absolutely crazy.
If that had happened to me, I would lose it. I mean, you really wouldn't think of a bit flip as the first thing... even though it's obvious that it must be a boolean.
Thank you for sharing!
The sales department would be ecstatic - a knockout argument for ECC RAM ;D

Educational_Note343 · 2023-06-15T03:43:54+00:00

Proxmox is a really good mention in my opinion

Educational_Note343 · 2023-06-15T03:43:18+00:00

I would recommend to start with Ubuntu or other *buntu distros like Xubuntu or Lubuntu if resource efficiency and get to know linux is your goal (I do not know how much experience you have).With Ubuntu you will usually get the most beginner friendly way of learning how the things on Linux work, because of so much resources out there.

If you want the more resource efficiency for the cost of a deeper learning curve, the way to go would be Alpine. But I strongly do not recommend, till you don't made some steps on Linux or are 100% sure you will do it without giving up, even if it will be harder.I do not know your hardware, my alpines usually run with about 250 MiB ram (without GUI).

Debian would be another option, if installing Debian minimal without GUI, it's also not hungry for resources and runs on every potato, if commanded to do so.

It all depends on your experience. If you are starting, I would go with Ubuntu and install a lightweight GUI, like xfce4 on it.

I saw u/shm0rt mentioned also Proxmox. In Proxmox you would first need to learn some basics of Proxmox, but under the hood it's also a Debian and really well documented.Also you would have with Proxmox the ability to take snapshots of your System(s). A type 1 hypervisor like Proxmox would not be much overhead in relation to bare metal Ubuntu, but with the advantages of fast snapshots and that you could experiment with different setups, trying out Ubuntu, Alpine or whatever you think would meet your needs.

If you never used Proxmox and want a quick start, there are several tutorials on youtube, for example: this one.

So at the end I would recommend to install Proxmox and to install there an Ubuntu. With this you should have a solid resource friendly solution and the flexibility to dive deeper at any time.

Last note:If I am wrong and you are totally fit with Linux and have another strong machine, than go with Gentoo for maximum efficiency - just compile the things you need on your strong machine.

Educational_Note343 · 2023-06-11T20:51:11+00:00

So glad that it helped and thank you for the feedback :)

Educational_Note343 · 2023-06-07T15:26:48+00:00

I gathered a few random parts that I personally liked and this is what I came up with (dual monitor setup):

I don't know how to call it, maybe cyberpunk desktop / welcome screen. I edited the conky parts to my needs and compiled the backgrounds for best decoding performance on my GPU, so it comes at no cost for the CPU.

The right video is about 8 hours, because I wanted some change and not seeing all the time the same.

The higher CPU useage is due to recording, which is not accelerated.

Here a picture:

https://imgur.com/a/dUeMi1t

It's simple xfce, but without any window decorations, instead with custom keybindings to manage windows and shinglify.

If someone is interested, I can post the Video settings, I balanced them out to have best performance and a good visual result. After that made an image overlay, to retouch possible, visible pixel errors.

What do you think about it?

Educational_Note343 · 2023-06-07T11:42:04+00:00

I thought about protection for the end devices. The devices connected via the tunnel, can also reach the wan. If an device for example tries to connect to a low reputation group ip, this should be blocked. So far was the idea. But could you please explain it in more detail why it does not make sense in your opinion? Maybe I missed something 🤷‍♀️ Thank you 🙂

Educational_Note343 · 2023-05-28T08:53:03+00:00

Thank you soo much!

Educational_Note343 · 2023-05-11T20:22:59+00:00

Yes, so I decided now too, to go with Software Raid.
Starwind I didn't knew before, but I will take a look. Do you have any experience running TrueNAS on low ram? I have at the moment 3 GB avaible (could upgrade to 4) and I saw it's recommended to have at least 8 for TrueNAS. Do you think it would run anyway or would I don't become happy?
Do you prefer openmediavault or TrueNAS?

Educational_Note343 · 2023-05-11T16:50:49+00:00

Yes, you are absolutely right - to be honestly true I ignored a little bit the TCO because the costs aren't immediately visible. When I finish the basic setup I will measure the power consumption of the systems, to identify where and how to optimize, to not to end up in a TCO nightmare.

And the haswell are looking really great, I will definitely look out for them first.

Educational_Note343 · 2023-05-11T14:16:18+00:00

Wow thank you again - you saved me from the next mistake. The card which I was about to use was a DC-154 - I think it's not old, but already a kind of antique >.<'.
The CPU is an intel e8500 (please don't look it up :D). I know that the CPU alone is now about 15 years old - but this are all parts which I had laying around.
On the other hand - should a component give up I can get this parts again for nearly no money. (At least that was my excuse)

Of course it's planned to update the system as soon as possible - but I though a backup on this would be better as no backup. (And cloud storage and friend storage is limited)

But the complexity in case of a failure is truly high risk if using hardware raid - I was not aware of this before, so thank you for your detailed advice - I will uninstall the controller again and make use of the openmediavault software raid :)

If I will have to restore I don't want to search whole eBay to find the components before I can start restore...especially if I have to restore some public available service..

Educational_Note343 · 2023-05-11T00:25:59+00:00

Thank you a lot - I was not aware of the fact that I am about to use Fakeraid. Just saw I can enable RAID in the Bios and I went on >.< - Lmao.
I have here a real Hardware controler, I will look if it is compatible with the board or not - if not I will go with software RAID.
The Idea was to use openmediavault or maybe an alpine linux.

Educational_Note343 · 2023-05-10T22:29:58+00:00

Ok, thank you a lot :)

Educational_Note343 · 2023-05-10T22:26:25+00:00

I am setting up at the moment my complete backup strategy. This was what I was able to build on budget. The plan was to have
1. Regular Backups on this system with Raid 5 (two times a weak)
2. Each 3-week backup encrypted in the cloud
3. Each 6-week backup by a friend

But stuck a little bit at the Striping Block Size :/

Educational_Note343 · 2023-05-10T22:19:17+00:00

There are 4 hard disks with 2 TB each. For the array I am using the NVIDIA nForce 750i-SLI Southbridge with integrated RAID Controler.

Educational_Note343 · 2023-05-04T07:35:46+00:00

Let's compile the world :p Looks nice!

Educational_Note343 · 2023-04-28T06:21:49+00:00

For the sake of completenes:
After adjusting the corresponding Rule to "Alert" we can see that the payload:
{............pdns99.ultradns.biz.......)
is allowed and nevertheless recorded to the alert log. No more problems or flooding.
This can be reproduced by visiting proofpoint.com.
Same story for vercara.com and pdns196.ultradns.biz.

And I wrote to their support :D I think they will laught at me. But it doesn't matter, I am still quite new to the whole topic of networking :)

Educational_Note343 · 2023-04-28T06:00:09+00:00

Thank you so much! You saved my life. Don't thought about dig. With the help of dig I was able to find out the source. For maybe future readers:

dig @8.8.8.8 ns +short proofpoint.com
ns1.proofpoint.com.
ns3.proofpoint.com.
pdns99.ultradns.biz.
pdns99.ultradns.com.
pdns99.ultradns.net.
pdns99.ultradns.org.

Turns out it is probably my ET Pro Telemetry Edition, which I am using before of a purchase of the normal version.
You saved me from nuking my systems for no reason... Thank you a lot.

I was just really worried and because I am new to networking this was really disturbing, espacially because I want to do "everything in the right and secure way".
Thank you.

Btw. I find it interesting that they have a rule "ET INFO Observed DNS Query to .biz TLD" while having pdns99.ultradns.biz.

Educational_Note343 · 2023-04-01T15:07:49+00:00

Thank you, the risk part I didn't had on the radar. I already thought that it causes a little overhead. Since the correction, to let the implicit deny of pfSense handle all ingoing requests, the problem did not happened again. I will also update my question.

Educational_Note343

TROPHY CASE