The Proxmox Hardening Guide project provides structured, actionable recommendations to secure Proxmox Virtual Environment (PVE 9.x & 8.x) and Proxmox Backup Server (PBS 4.x & 3.x).
These guides are designed for system administrators and security engineers who need step-by-step hardening instructions, compliance alignment with the CIS Debian Benchmark, and best practices for enterprise and homelab deployments.
They extend the industry-recognized CIS Debian Benchmark with Proxmox-specific security tasks, practical examples, and real-world best practices.
Warning
This project is under active development and some controls are still being validated.
Your feedback, testing results, and contributions are strongly encouraged to help improve accuracy, completeness, and reliability.
Some steps are flagged with “Controls have not yet been validated.” If you have a lab environment, I’d love your help testing these and sharing what you find (successes and issues alike). Thank you!
- 1.1.5 - Enable Full-Disk Encryption
- 1.2.1.1 - Enable UEFI Secure Boot
- 1.2.1.2 - Kernel Lockdown (Integrity Mode)
- 1.3 - SDN
- 5.3.2 - Rootkit Detection
- 1.1.5 - Enable Full-Disk Encryption (including Ceph OSD impact/performance validation)
- 1.2.1.1 - Enable UEFI Secure Boot
- 1.2.1.2 - Kernel Lockdown (Integrity Mode)
- 1.2.4 - ZFS datasets
- 1.2.5 - SMB/CIFS mount
- 5.3.2 - Rootkit Detection
- 1.1.2 - Apply Debian 12 CIS Level 2
- 1.1.4 - ssh-audit: step 6 (connection rate throttling) on clusters
- 1.1.5 - Enable Full-Disk Encryption
- 1.2.1.1 - Enable UEFI Secure Boot
- 1.2.1.2 - Kernel Lockdown (Integrity Mode)
- 1.3 - SDN
- 3.5 - Ceph Messenger Encryption (In-Flight)
- 5.3.2 - Rootkit Detection
- 1.1.2 - Apply Debian 12 CIS Level 2
- 1.1.5 - Enable Full-Disk Encryption (including Ceph OSD impact/performance validation)
- 1.2.1.1 - Enable UEFI Secure Boot
- 1.2.1.2 - Kernel Lockdown (Integrity Mode)
- 1.2.4 - ZFS datasets
- 1.2.5 - SMB/CIFS mount
- 5.1.2 - Auditd for /etc/proxmox-backup
- 5.3.2 - Rootkit Detection
Choose the guide for your version: PVE 9 hardening, PBS 4 hardening, PVE 8 hardening, or PBS 3 hardening:
| Guide | Product | Guide Version | Path |
|---|---|---|---|
| PVE 9 | Proxmox Virtual Environment 9.x | 0.9.0 - 30 December 2025 | docs/pve9-hardening-guide.md |
| PBS 4 | Proxmox Backup Server 4.x | 0.9.0 - 30 December 2025 | docs/pbs4-hardening-guide.md |
| PVE 8 | Proxmox Virtual Environment 8.x | 0.9.3 - 30 December 2025 | docs/pve8-hardening-guide.md |
| PBS 3 | Proxmox Backup Server 3.x | 0.9.3 - 30 December 2025 | docs/pbs3-hardening-guide.md |
Key Benefits:
- Security Best Practices for PVE and PBS - aligned with the CIS Debian Benchmark and adapted to virtualization and backup environments.
- Step-by-Step Hardening Guides - clear instructions for system administrators, security engineers, and auditors.
- Comprehensive Proxmox Security Coverage - includes configuration, datastore verification, automated backups, encryption, and disaster recovery testing.
Before you change anything:
- Create a recent backup or snapshot of the node and critical VMs or containers.
- Schedule a maintenance window so you can reboot if needed.
- Ensure you have out-of-band access (IPMI, iKVM, physical console).
- Record your current settings so you can restore them if required.
Clone the repository and open the guide you need:
git clone https://github.com/HomeSecExplorer/proxmox-hardening-guide.git
cd proxmox-hardening-guide/docs- Start in a lab/staging node first (or a single non-critical host).
- Ensure you have working backups and out-of-band/console access before changing SSH, firewall, boot, or storage settings.
- Apply controls incrementally:
- Do Level 1 first (lowest risk, highest baseline value).
- Move to Level 2 only when you understand the operational impact.
- Apply Level 3 only when needed
- After each change, validate service health (GUI access, SSH, storage, cluster status, backups, VM migration) and keep a rollback path.
- Use the Execution Status checkboxes to track what’s applied per host, and record deviations with a short note.
Community collaboration is highly welcome! Please see the detailed instructions in CONTRIBUTING.md
- Found an issue or have feedback? Open an Issue.
- Want to contribute improvements? Fork the repository and submit your pull request against the dev branch.
Warning
By using these guides, you agree to:
- Responsibility - You must test and validate each recommendation yourself before applying it.
- No Liability - The authors and contributors are not liable for any direct, indirect, or consequential damages arising from the use of this guidance.
- License - All content is licensed under CC BY 4.0 (see
LICENSE). - Community Techniques - Some recommended practices are community-driven and not officially supported by Proxmox GmbH. Use at your own risk.
