Protecting XCP-ng host

JoyceBabu · May 29, 2024, 6:13am

I have a beefy i9-13900K server with 32 cores, 128 GB RAM and 8 public IPs. I mostly require it for hosting a single website. Since my provider does not provide 24/7 KVM over IP, I was thinking of setting it as a virtualization host with XCP-ng, with the website in a VM.

Since the server is hosted at a remote DC, I will have to expose the XCP-ng management interface over the internet.

What is the recommended way to secure the host in this case? I read about hosting pfSense in a VM and protecting the management port through pfSense. I am worried of locking myself out of the pfSense VM and the node management interface, if I make a mistake. I have also considered limiting management interface access to whitelisted IP addresses, since I have static IP.

How would you secure it, if you are in my situation? Or would you drop the entire virtualization plan, and setup the web application on bare metal?

LTS_Tom · May 29, 2024, 12:08pm

The simplest approach would be bare metal, but if you are going to use XCP-ng the next simplest approach would be to set an allow list to only your IP for management. While pfsense and a VPN setup would be the most secure approach the risk you noted of being locked out is an issue.

liquidjoe · May 29, 2024, 12:41pm

Why doesn’t anybody tunnel SSH around here?

Just put the mgmt interface behind SSH. (do that for your pfsense box too)

Doing this you will have almost built proof security, simplicity, AND flexibility. If you want to get fancy put the ssh server in it’s own VM. As long as that VM just does SSH, there is nothing to go wrong when updating this VM.

If you don’t like losers harmlessly knocking at your SSH door, then rate limit it or put IP restrictions on it.

Bare metal will just shift your problem to the application host itself. Running pfsense in a VM with a VPN tunnel just to protect the XCP-ng interface is silly. That is so much more problematic and complicated than it needs to be.

JoyceBabu · May 29, 2024, 12:57pm

@LTS_Tom If I get locked out, will getting a temporary KVM access allow me to the access the pfSense interface?

@liquidjoe Are you referring to remote port forwarding?

The issues mentioned in the following thread would be a concern. I don’t like leaving ssh access with password for root account enabled.

liquidjoe · May 29, 2024, 1:18pm

I have never used XCP-ng, but I hope that forum post is wrong. wow.

Assuming those limitations are accurate, I would spin up a VM just for SSH (overkill, but all you got), then modify the XCP-ng host fw config to just allow mgmt ports necessary for XCP-ng from that SSH jump box. Something you got to do anyway, not super hard and we or the internet can help.

Then just SSH to that jump box with the ports forwarded to your XCP-ng host. There a tons of tutorials on how to do this. It’s been a long time since I’ve needed to do this, but something like: ssh -L 8080:xcp-ng-host:443 someuser@ssh-jump-box. Then on your box https://127.0.0.1:8080