Proxmox Initial Hardening & Setup#

1. Initial Setup#

Disable Enterprise Repositories#

Disable enterprise repositories from the UI.

If the UI does not work, comment them manually:

nano /etc/apt/sources.list.d/pve-enterprise.list
nano /etc/apt/sources.list.d/pve-no-enterprise.list

Update System#

apt update && apt full-upgrade -y
apt autoremove && apt autoclean

Check performance:

pveperf /etc/pve

2. Configure SSH Public Key#

Edit authorized keys:

nano ~/.ssh/authorized_keys

Restart SSH:

systemctl restart sshd

In some cases, the file is located here:

nano /etc/pve/priv/authorized_keys

3. Disable Root SSH Login#

Edit SSH config:

nano /etc/ssh/sshd_config

Ensure the following settings:

PermitRootLogin prohibit-password
#PermitRootLogin yes
PubkeyAuthentication yes

Apply changes:

systemctl restart sshd

4. Disable HA Cluster Services (Reduce SSD Wear)#

Do NOT perform this step if the node is part of a cluster.

Disable Local Resource Manager#

systemctl stop pve-ha-lrm
systemctl disable pve-ha-lrm

Disable Cluster Resource Manager#

systemctl stop pve-ha-crm
systemctl disable pve-ha-crm

Installing N8N Restricted User#

1. Check If User Exists#

cat /etc/passwd

2. Create System User#

adduser --system \
  --home /home/n8n \
  --shell /bin/bash \
  --group n8n

3. Configure Shell & Home#

usermod -s /bin/bash n8n
chown -R n8n:n8n /home/n8n
mkdir -p /home/n8n/.ssh

4. Add Public Key (from HP3GPU)#

Open the authorized_keys file:

nano /home/n8n/.ssh/authorized_keys

Paste the public key:

ssh-ed25519 root@HP1GPU

Restart SSH:

systemctl restart sshd

In some cases, the key file may be located here:

nano /etc/pve/priv/authorized_keys

5. Fix Permissions#

chmod 755 /home/n8n
chmod 700 /home/n8n/.ssh
chmod 600 /home/n8n/.ssh/authorized_keys
chown -R n8n:n8n /home/n8n/.ssh

6. Test User#

su - n8n -c 'apt list --upgradable'
su - n8n -c 'cat /etc/hostname'
ssh -vvv n8n@10.1.1.105

su - n8n -c 'apt list --upgradable'
su - n8n -c 'cat /etc/hostname'
ssh -vvv n8n@10.1.1.105