We will ensure that your server uses the most secure encryption protocols is a critical part of maintaining a safe environment. If you’re running Proxmox, one of the important steps you can take is to ensure your server is not using any weak ciphers like Cipher Block Chaining (CBC) that are prone to vulnerabilities such as padding oracle attacks.

In this guide, we will walk through the steps to secure your Proxmox installation by disabling weak CBC ciphers and configuring TLS to use modern, strong cipher suites.

Why Disable CBC Ciphers?

Cipher Block Chaining (CBC) ciphers, while widely used in the past, have known weaknesses. They are vulnerable to certain attacks (e.g., BEAST, Lucky13) that can compromise the security of encrypted connections. Modern alternatives like AES-GCM (Galois/Counter Mode) and ChaCha20-Poly1305 provide stronger encryption and better performance, making them more suitable for today’s security needs.

Step 1: Access Your Proxmox Server

You can access the terminal of your Proxmox server through the web UI or via SSH. To access it using SSH, use the following command:

  ssh root@<your_proxmox_ip>

Step 2: Create the Configuration File

By default, Proxmox may not include a dedicated configuration file to specify cipher suites. You can create a new file called /etc/default/pveproxy to define secure ciphers for the web interface. Run the following command to create and edit the file:

  nano /etc/default/pveproxy

Step 3: Add Secure Cipher Suites

In the file /etc/default/pveproxy, add the following lines to specify the secure ciphers you want to use, and disable any weak CBC ciphers.

  # File: /etc/default/pveproxy

# Specify secure ciphers, excluding CBC-based ones
CIPHERS="ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:!aNULL:!eNULL:!LOW:!MEDIUM:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!CBC"

CIPHERSUITES="TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256"

Let’s break down what these directives mean:

  • CIPHERS: Defines the cipher suites used for TLS 1.2. The string contains only modern, secure ciphers and explicitly disables weaker algorithms such as RC4, 3DES, MD5, and CBC-based ciphers.
  • CIPHERSUITES: Defines the cipher suites for TLS 1.3. TLS 1.3 already enforces secure ciphers, so we simply list the recommended ones (AES-GCM and ChaCha20).

Note: You don’t have to use my cipher specifically; feel free to edit and modify it as you wish to make it fit your needs.

Step 4: Restart Proxmox Services

After saving the configuration file, restart the pveproxy service for the changes to take effect. Run the following command:

  systemctl restart pveproxy

This will restart the Proxmox proxy server and apply the new cipher configuration.

Step 5: Verify the Changes

Use tools like testssl.sh to verify if the cipher has been disabled. The command to run on the tool is:

  ./testssl.sh --warnings batch -E -p -P -h -s -S -f -U <your_proxmox_ip>:8006

Replace <your_proxmox_ip> with the actual ip of your Proxmox server.

Conclusion

By following the steps in this tutorial, you’ve secured the TLS configuration on your Proxmox server, ensuring that it uses strong, modern cipher suites. Disabling weak CBC-based ciphers and allowing only secure alternatives like AES-GCM and ChaCha20-Poly1305 is a crucial step toward safeguarding your Proxmox installation against potential cryptographic vulnerabilities.

Keeping your Proxmox server secure not only protects your virtual environments but also enhances the overall security of your infrastructure.