Thanks for the recommendation. I have no experience with Proxmox, so this might be part of a longer-term project once I've got the Vikunja access working (at least that's on a separate Pi and so would be similar to a distinct VM in that regard).
Comment on Safely exposing services to the Internet
hirihit640@sh.itjust.works 3 weeks ago
I recommend proxmox. One VM for sensitive private data and backups, one VM for stuff exposed to the internet
Australis13@fedia.io 3 weeks ago
Jean_le_Flambeur@discuss.tchncs.de 3 weeks ago
I was going to build my system like that, but recently learned that host client isolation is not as strong as people make you believe.
just a few weeks ago we learned that copy fail (security vulnerability) was on major distros for years until it was fixed, it would allow containers and VMS to infect the host system. Xz utils could also lead to a broken host client separation, as proxmox uses ssh for clustering and the like.
So for really important stuff I am going to have a dedicated physical server or put it in cold storage altogether.
That said, I am by no means an expert so feel free to correct me if I got something wrong.
hirihit640@sh.itjust.works 3 weeks ago
copy fail allows VMs to infect the host system? I thought it was a kernel vulnerability, not a hypervisor vulnerability. Containers and LXCs share the kernel with the host, full VMs do not.
Hypervisor exploits and VM escapes are VERY rare.
Using SSH for clustering is optional. You can just use normal VMs. You don’t have to install SSH into the VM, you can view it through proxmox. The only difference between a VM and a physical machine is the hypervisor, so the only security difference is the security of the hypervisor. And as I mentioned, hypervisor exploits are very rare.
pmk@piefed.ca 3 weeks ago
Almost 20 years ago, Theo de Raadt (founder of OpenBSD) said: “you think that a worldwide collection of software engineers who can’t write operating systems or applications without security holes, can then turn around and suddenly write virtualization layers without security holes.” I would like to think that we’ve figured out the security holes since then, but… you know..
hirihit640@sh.itjust.works 3 weeks ago
Nobody believes virtualization is perfect, it’s just the best we got because:
And anyways, even a separate physical computer can be hacked. If it has networking, there could be a vulnerability in the networking stack. Just making an outbound tcp connection can be enough to be pwned.
I think the closest thing we have to an “invincible” system is seL4, but I rarely hear about amybody using them
dislabled@lemmy.ml 3 weeks ago
Good post. And i would like to add for anyone to be able to use hypervisor escape, you also need a vulnerability in the software presented to the internet. And even then, the chance that anyone would waste a zero day on a homelab is pretty slim…
Jean_le_Flambeur@discuss.tchncs.de 3 weeks ago
Thanks for evaluating! The exploit was explained to me that an unpriviliged user/Programm could use it to get root access on the whole system, which I my mind included the hypervisor. Further reading seems to proof you right, while containers were broken VMs were not.
My point still remains, although weaker: If you know exactly what you are doing you can get a system quite secure, if you are a hobby server owner like me, its not that easy. I would have not know that the use of VMs instead of containers has sooo major security implications, that something so fundamental as ssh could be exploited in such large scales, and clustering would have been needed to avoid being unsafe.
Sure, noone would use an zero day on me targeted, the thing is: I am not working in the field, from publishing of the exploit till learned about it and had the time to patch, there were a few weeks. If in those few weeks someone deploys a tool going for mass and not for single targets, I would probably be infected and added to some botnet, cryptominer or whatever.
If I have a bare metal dedicated server, which has only access to IPs contained in my whitelist on a dedicated opnsense, I have less to wory about. Sure, someone could still find a freebsd/opnsense exploit and get me, but my point is: complex systems break in complex ways, the more complex systems you use, the more attack surface u have, need to know and understand to control and mitigate it.
Not that its impossible, but for a hobbyist who tries to self teach with man pages, tutorials and forums, you can get pwnd in unexpected ways (like because you used a container for dodgy Chinese smart home devices and expected that your production environment would be safe even if one of them was malicious, but in fact you were not, because that would have needed to be a VM. AND: before copy fail was published, users would have probably also told you that containers are safe.
hirihit640@sh.itjust.works 2 weeks ago
The way I would frame it is: using complex systems that you are unfamiliar with is risky. In your case, you are familiar with OPNsense and firewalls. So that may be the more secure option for you. But for somebody who isn’t familiar with firewalls, there are a lot of ways to mess up. For example, IP and mac spoofing is very easy. OPNsense and firewalls often don’t have very good defense against IP spoofing, especially if the malware is already inside your LAN (for example, a malicious app running on a smartphone).
Using proxmox and other virtualization platforms has one big advantage: you can experiment and play around and learn, without much risk. With a physical server, if you mess up and get infected, you may have to throw away the whole server. You can’t just re-install the OS, because the malware could have installed a rootkit or infected the bios or other firmware. But with a VM, if the VM gets infected you can just delete the VM and create a new one. One of the main goals of a hypervisor is to sandbox the VM, so that malware is contained.