This article shows how to setup encrypted Proxmox hypervisor with remote decryption through SSH. It's useful if you want to protect your data and all virtual machines in case of physical theft of your homelab server. Keep in mind that in order to decrypt the system (for example after system reboot) you need to log in through SSH and enter decryption password.
OS used: Debian 12 Software used: Proxmox 8, KeePassXC 2.7.4
KeePassXC is a password manager to securely store passwords in encrypted database. KeePassXC also enables securing SSH keys by storing private keys within its encrypted database while only public keys are present on disk. With such setup in order to connect to remote host, KeePassXC database should be opened and keys will be loaded to ssh-agent. Then connection to remote host using SSH will be possible. After closing KeePassXC database keys will be removed from ssh-agent. In this post I will demonstrate how to achieve such setup.
Having a server, it's a good practice to protect it from power supply failures. Solution for such case is to use UPS. Occasionally power down can last longer than UPS battery capacity and then it's recommended to gracefully shutdown server. In order to accomplish this, UPS needs to have some kind of connection with the server (common one is USB) and on the server dedicated software must be installed. Some UPS manufacturers have their own software, but if we have a less common model or an older UPS, than a good solution is to use open source software such as NUT (Network UPS Tools). Big advantage of NUT software is that we can use one software to manage UPS devices from different manufacturers. NUT software is in standard Debian repositories so it's easy to install and can be used on Proxmox hypervisor which is based on Debian. This way, we can have nice homelab hypervisor connected to UPS for protection against power supply issues. In this article I will be using UPS Socomec NPE-0650.
Fail2Ban is a software that scans logs files and can ban IP addresses, for example with too many failed login attempts. Ban is done by updating system firewall rules to reject connections from those IP addresses for a configurable amount of time. This functionality is really useful to protect your server from brute force attacks. In this article we will look at how to protect one of the most important service which is SSH using Fail2Ban.
Sometimes you would like to have a more secure sudo or su command, especially if you are a developer and often use docker (that you run with root privileges). Solution that will give you a little more peace of mind if you are attacked by some kind of malware with keylogger. Answer to this case is using YubiKey for protecting sudo or su command. In the following article I will show how to setup a configuration in which sudo or su command will need standard password and touch of YubiKey present in USB port.
UPDATE 2025-01-25: Added paragraph "Bonus 3" at the end of article describing how to have PAM configuration regarding YubiKey in separate file and include it in PAM configuration files.
In this article I will focus on things that should be done to secure homelab servers and management computer used for connecting to these servers. Compromise of one or another can have very negative consequences for home infrastructure. I even think that management computer is more important because it is an access point to all of servers. I will try to cover some of topics mentioned here in future posts.