kai/knowledge-base
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Re-structure

Browse Source
This commit is contained in:
Yaojia Wang
2026-03-21 11:31:31 +01:00
parent e61baf7e4e
commit cdba2497a7
30 changed files with 299 additions and 251 deletions
Download Patch File Download Diff File Expand all files Collapse all files

404
4 - Resources/Security/OpenVAS Usage Guide.md Normal file
View File

@@ -0,0 +1,404 @@
---
created: "2026-03-08"
type: resource
tags:
- resource
- security
- openvas
- vulnerability-scanning
- homelab
---
# OpenVAS Usage Guide
Greenbone OpenVAS 漏洞扫描平台使用指南。基于 Greenbone Community Edition部署在 [[PVE Security Scanner]] 上。
## Access
| Item | Value |
|------|-------|
| URL | `https://192.168.68.84` |
| Backup URL | `https://192.168.68.84:9392` |
| Username | `admin` |
| Certificate | Self-signed (浏览器需接受警告) |
## Core Concepts
| Concept | Description |
|---------|-------------|
| **Target** | 扫描目标,可以是单个 IP、IP 范围、子网 (CIDR) |
| **Port List** | 要扫描的端口集合 (默认提供 All TCP, Top 100, Top 1000 等) |
| **Scan Config** | 扫描策略,控制检测深度和范围 |
| **Task** | 将 Target + Scan Config 组合成一个可执行的扫描任务 |
| **Report** | 扫描结果报告,包含发现的漏洞和风险评级 |
| **Schedule** | 定时执行扫描任务 |
| **Alert** | 扫描完成后的通知动作 (邮件、HTTP 回调等) |
| **NVT** | Network Vulnerability Test单个漏洞检测脚本 |
| **CVE** | 公共漏洞编号OpenVAS 关联 CVE 数据库 |
| **CVSS** | 漏洞评分标准 (0-10),用于风险评级 |
## Scan Configs (扫描策略)
| Config | Speed | Depth | Use Case |
|--------|-------|-------|----------|
| **Discovery** | Fast | Low | 仅发现主机和服务,不做漏洞检测 |
| **Host Discovery** | Very Fast | Minimal | 只检测主机是否存活 |
| **System Discovery** | Fast | Low | 发现操作系统和服务版本 |
| **Base** | Medium | Medium | 基础漏洞扫描,不含危险测试 |
| **Full and fast** | Medium | High | 完整扫描,跳过慢速 NVT (推荐日常使用) |
| **Full and deep** | Slow | Very High | 深度扫描,包含所有 NVT |
| **Full and deep ultimate** | Very Slow | Maximum | 包含可能导致服务中断的测试 (慎用) |
## Quick Start: First Scan
### Step 1: Create Target
1. Menu: **Configuration** -> **Targets**
2. Click **New Target** (左上角星号图标)
3. Fill in:
- **Name**: `Internal Network` (或具体名称)
- **Hosts**: `192.168.68.0/24` (或单个 IP)
- **Port List**: 选择 `All TCP and Nmap top 100 UDP`
4. Click **Save**
### Step 2: Create Task
1. Menu: **Scans** -> **Tasks**
2. Click **New Task** (左上角星号图标)
3. Fill in:
- **Name**: `Internal Network Scan`
- **Scan Targets**: 选择刚创建的 Target
- **Scanner**: `OpenVAS Default`
- **Scan Config**: 选择策略 (建议首次用 `Full and fast`)
4. Click **Save**
### Step 3: Run Scan
1. 在 Task 列表中找到刚创建的任务
2. 点击绿色 **Start** 按钮 (播放图标)
3. Status 会从 `New` -> `Requested` -> `Running` -> `Done`
4. 扫描时间取决于目标数量和策略:
- 单台主机 Full and fast: 10-30 分钟
- /24 子网 Full and fast: 2-8 小时
### Step 4: View Report
1. Task 完成后,点击 **Last Report** 日期链接
2. 报告页面展示所有发现的漏洞
3. 按 Severity 排序查看高危漏洞
## Report Reading
### Severity Levels
| Level | CVSS | Color | Action |
|-------|------|-------|--------|
| **Critical** | 9.0-10.0 | Purple | 立即修复 |
| **High** | 7.0-8.9 | Red | 尽快修复 |
| **Medium** | 4.0-6.9 | Orange | 计划修复 |
| **Low** | 0.1-3.9 | Blue | 评估后决定 |
| **Log** | N/A | Grey | 信息收集,无需操作 |
### Report Sections
- **Results**: 所有发现的漏洞列表
- **Hosts**: 按主机分组的结果
- **Operating Systems**: 检测到的操作系统
- **Applications**: 检测到的应用程序
- **TLS Certificates**: SSL/TLS 证书信息
- **Error Messages**: 扫描过程中的错误
### Export Report
1. 打开 Report
2. 左上角下拉选择格式:
- **PDF** - 适合分享和存档
- **CSV** - 适合数据分析
- **XML** - 适合导入其他工具
- **TXT** - 纯文本摘要
3. Click download icon
## Common Scan Scenarios
### Scenario 1: Scan Single Server
**Target**: `192.168.68.31` (PostgreSQL server)
**Config**: `Full and fast`
**Port List**: `All TCP and Nmap top 100 UDP`
重点关注:
- PostgreSQL 版本漏洞
- SSH 配置问题
- 系统补丁缺失
### Scenario 2: Scan Entire Network
**Target**: `192.168.68.0/24`
**Config**: `Full and fast`
**Port List**: `All TCP and Nmap top 100 UDP`
首次扫描建议在非工作时间进行,扫描会产生较大网络流量。
### Scenario 3: Web Application Scan
**Target**: Web 服务器 IP
**Config**: `Full and deep`
**Port List**: `All TCP`
重点关注:
- HTTP 相关漏洞 (XSS, SQL injection, CSRF)
- TLS 配置 (弱加密、过期证书)
- Web 服务器版本泄露
### Scenario 4: Compliance Check
**Target**: 所有关键服务器
**Config**: `Full and fast`
对照报告检查:
- 是否有默认密码
- 是否有未打补丁的服务
- 是否有不安全的协议 (telnet, FTP, SSLv3)
## Scheduled Scans
### Create Schedule
1. Menu: **Configuration** -> **Schedules**
2. Click **New Schedule**
3. Fill in:
- **Name**: `Weekly Internal Scan`
- **First Run**: 选择开始时间 (建议非工作时间,如周日凌晨 2:00)
- **Period**: `1 week`
- **Duration**: 留空 (无时间限制)
4. Click **Save**
### Assign Schedule to Task
1. Edit existing Task
2. **Schedule** 字段选择刚创建的 Schedule
3. Save
Task 会按计划自动执行,报告自动生成。
## Alerts (通知)
### Email Alert
1. Menu: **Configuration** -> **Alerts**
2. Click **New Alert**
3. Fill in:
- **Name**: `High Severity Email`
- **Event**: `Task run status changed` -> `Done`
- **Condition**: `Severity at least` -> `7.0` (High)
- **Method**: `Email`
- **To Address**: 你的邮箱
- **From Address**: `scanner@localhost`
4. Click **Save**
5. 在 Task 中关联此 Alert
Note: 需要配置 VM 的 SMTP 发送邮件。
## Credential Scans (认证扫描)
认证扫描可以检测更多漏洞(如本地提权、软件版本),因为扫描器可以登录目标系统。
### Create SSH Credential
1. Menu: **Configuration** -> **Credentials**
2. Click **New Credential**
3. Fill in:
- **Name**: `Linux SSH Scan`
- **Type**: `Username + SSH Key``Username + Password`
- **Username**: 目标系统的用户名
- **Password/Key**: 对应的认证信息
- **Auto Generate**: No
4. Click **Save**
### Use in Target
1. Edit Target
2. **SSH Credential** 字段选择创建的 Credential
3. Save
认证扫描会发现更多漏洞(如未打补丁的本地包、内核漏洞)。
## Performance Tips
| Tip | Effect |
|-----|--------|
| 缩小端口范围 | 减少扫描时间 |
| 用 `Full and fast` 而非 `Full and deep` | 快 2-5x覆盖 90% 漏洞 |
| 分段扫描大网络 | 避免超时和资源耗尽 |
| 避免工作时间扫描 | 减少对生产环境影响 |
| 定期更新 Feed | 保持漏洞库最新 |
## Maintenance
### Update Vulnerability Feed
Feed 自动通过 Docker 容器更新。手动触发:
```bash
ssh kai@192.168.68.84
cd /opt/greenbone
sudo docker compose pull
sudo docker compose up -d
```
### Check Feed Status
Web UI: **Administration** -> **Feed Status**
| Feed | Description |
|------|-------------|
| NVT | 漏洞检测脚本 (最重要) |
| SCAP | CVE/CPE 数据 |
| CERT | 安全公告 |
| GVMD_DATA | 扫描策略和端口列表 |
所有 Feed 应显示 `Current`。如果显示 `Update in progress`,等待同步完成。
### Backup
```bash
# 备份所有 Docker volumes
ssh kai@192.168.68.84
cd /opt/greenbone
sudo docker compose down
sudo tar czf /tmp/greenbone-backup-$(date +%Y%m%d).tar.gz \
/var/lib/docker/volumes/greenbone-community-edition_*
sudo docker compose up -d
```
### Reset Admin Password
```bash
ssh kai@192.168.68.84
cd /opt/greenbone
sudo docker compose exec -u gvmd gvmd gvmd --user=admin --new-password=<NEW_PASSWORD>
```
## Report Workflow (报告使用流程)
### Priority Matrix
| Priority | CVSS | Example | Timeline | Action |
|----------|------|---------|----------|--------|
| **Critical** | 9.0-10.0 | 远程代码执行、默认密码、未授权访问 | 24h 内 | 立即修复 |
| **High** | 7.0-8.9 | 本地提权、敏感信息泄露、SQL 注入 | 1 周内 | 尽快修复 |
| **Medium** | 4.0-6.9 | 弱加密、软件版本过旧、TLS 配置不当 | 1 月内 | 排期修复 |
| **Low** | 0.1-3.9 | 信息收集、Banner 暴露、非敏感信息泄露 | 按需 | 评估后决定 |
### Step-by-Step Workflow
**Step 1: Export Report**
- 打开 Report -> 左上角选择格式
- 导出 **PDF** (存档分享) + **CSV** (数据分析)
- 建议按日期归档: `scans/2026-03-09-full-network.pdf`
**Step 2: Triage by Host**
-**Hosts** 标签,按漏洞数量排序
- 识别问题最多的主机,优先处理
**Step 3: Analyze Vulnerabilities**
- 点进具体漏洞,关注以下字段:
- **Summary**: 漏洞描述(是什么)
- **Impact**: 被利用后的影响(为什么要修)
- **Solution**: 修复建议(怎么修)-- 最有价值的部分
- **CVE Reference**: 关联的 CVE 编号(可查详细信息)
- **Affected Software/OS**: 受影响的软件版本
**Step 4: Create Remediation Plan**
- 按优先级为每个 Critical/High 漏洞创建修复任务
- 记录:主机 IP、漏洞名称、CVE、修复方案、负责人
- Medium 漏洞汇总为批量修复任务(如统一升级某软件)
**Step 5: Fix and Rescan**
- 修复完成后,对同一 Target 重新扫描
- 对比两次 Report确认漏洞已消除
- Web UI: **Scans** -> **Reports** 可以看历史趋势
### Recurring Scan Process
建议建立周期性扫描流程:
```
周日凌晨 2:00 自动全网扫描 (OpenVAS Schedule)
|
周一上午 查看报告,按优先级分类
|
周一-周五 修复 Critical 和 High 漏洞
|
下周日 自动复扫,对比改善情况
|
每月最后一周 导出月度报告,归档存储
```
Setup: **Configuration** -> **Schedules** -> 创建 Weekly Schedule (Sunday 02:00)
### Report Comparison (趋势分析)
跟踪安全改善情况:
| Metric | How to Track |
|--------|-------------|
| Critical/High 漏洞数量变化 | 每周报告对比 |
| 平均修复时间 | 记录发现日期和修复日期 |
| 新增 vs 已修复 | 对比相邻两次扫描 |
| 最高风险主机 | 按 Host 的 Severity Score 排序 |
### Common Findings and Fixes
| Finding | Typical Fix |
|---------|------------|
| SSH weak algorithms | 更新 `/etc/ssh/sshd_config` 加密套件 |
| SSL/TLS outdated | 升级到 TLS 1.2+,禁用弱密码套件 |
| Default credentials | 修改默认密码,禁用默认账户 |
| Missing patches | `apt upgrade` / 系统补丁更新 |
| Open unnecessary ports | 关闭不需要的服务,配置防火墙 |
| HTTP without HTTPS | 配置 TLS 证书,强制 HTTPS 重定向 |
| SMBv1 enabled | 禁用 SMBv1启用 SMBv2/v3 |
| SNMP public community | 修改 community string 或禁用 SNMP |
## CLI Access (gvm-tools)
除了 Web UI也可以通过命令行操作
```bash
ssh kai@192.168.68.84
cd /opt/greenbone
# 进入 gvm-tools 容器
sudo docker compose exec gvm-tools bash
# 列出所有 task
gvm-cli --gmp-username admin --gmp-password <PASSWORD> \
socket --socketpath /run/gvmd/gvmd.sock \
--xml '<get_tasks/>'
# 列出所有 target
gvm-cli --gmp-username admin --gmp-password <PASSWORD> \
socket --socketpath /run/gvmd/gvmd.sock \
--xml '<get_targets/>'
```
## Troubleshooting
| Problem | Solution |
|---------|----------|
| Web UI 打不开 | `sudo docker compose ps` 检查容器状态 |
| 登录失败 | Reset admin password (见上方) |
| Feed 一直 updating | 首次同步需 30-60 分钟,耐心等待 |
| 扫描卡在 Requested | 检查 ospd-openvas 容器日志: `sudo docker compose logs ospd-openvas` |
| 扫描结果为空 | 确认 Feed 已同步完成;检查目标网络是否可达 |
| 只扫到本机 | ospd-openvas 需要 `network_mode: host` 才能到达局域网 |
| Feed is syncing | 漏洞库同步中等几分钟到半小时Feed Status 全部 Current 后再扫 |
| 扫描速度很慢 | 减少目标范围;使用 `Full and fast` 策略 |
| 容器反复重启 | `sudo docker compose logs <service>` 查看错误 |
| 磁盘空间不足 | `df -h` 检查;清理旧报告和 Docker 无用镜像 `sudo docker system prune` |
## Related
- [[PVE Security Scanner]] - 部署文档和安全架构
- [[Security Best Practices]]

302
4 - Resources/Security/PVE Security Scanner.md Normal file
View File

@@ -0,0 +1,302 @@
---
created: "2026-03-08"
type: resource
tags:
- resource
- homelab
- security
- proxmox
- networking
- vulnerability-scanning
---
# PVE Security Scanner
## Goal
在 Proxmox VE 上搭建一台专用的内网安全扫描 VM用于定期进行网络安全评估、漏洞扫描和合规检查。
## Architecture
```
+------------------+
| PVE Host |
| +--------------+| PVE Firewall (Layer 1)
| | Scanner VM || - IN: only admin IPs -> SSH/9392
| | Ubuntu 24.04 || - OUT: internal nets + update_targets IPSET
| | 4C / 8G / 80G||
| +--------------+|
| | |
+--------|--------+
| vmbr0 (bridge)
|
======|==================== Internal Network (192.168.68.0/24)
| | | |
[Host] [Host] [Host] [Switch/Router]
```
## VM Specs
| Resource | Value |
|----------|-------|
| Hostname | network-scanner |
| IP | 192.168.68.84 |
| OS | Ubuntu 24.04 (cloud-init) |
| Kernel | 6.8.0-101-generic |
| CPU | 4 cores (host type) |
| RAM | 8 GB |
| Disk | 80 GB |
| Network | vmbr0 bridge, 192.168.68.0/24 |
| SSH User | kai (1Password managed key) |
| Admin User | scanner-admin |
## Security Architecture (Defense in Depth)
### Layer 1: PVE Firewall (Hypervisor)
在 Proxmox 层面限制 VM 网络访问,即使 VM 被攻陷也无法绕过。
| Direction | Rule | Purpose |
|-----------|------|---------|
| IN | Admin IPs -> TCP 22 | SSH 管理 |
| IN | Admin IPs -> TCP 443, 9392 | OpenVAS Web UI |
| IN | Internal nets -> ICMP | Ping |
| OUT | -> Internal nets (all) | 扫描内网 |
| OUT | -> update_targets IPSET TCP 80/443 | 漏洞库更新、包管理 |
| OUT | -> UDP 53/123 | DNS / NTP |
| Default | DROP | 其他全部拒绝 |
Config: `/etc/pve/firewall/200.fw`
Admin IPs 默认 `192.168.68.0/24`(整个内网段),可通过 `SCANNER_ADMIN_IPS` 环境变量覆盖。
### Layer 2: nftables (VM Internal)
VM 内部使用 nftables 做第二层防护,包含动态封禁功能。
**Key features:**
- `blocked_ips` set: 动态 IP 封禁(带超时自动解封)
- `ssh_bruteforce` set: SSH 暴力破解自动检测3次/分钟触发15分钟封禁
- Output policy DROP: 出站默认拒绝,仅白名单放行
- 所有 DROP 事件记录日志
- Docker 接口使用 `iifname "docker*"` / `iifname "br-*"` 通配(不要求接口预先存在)
**管理命令:**
```bash
# 查看规则
nft list ruleset
# 手动封禁 IP1小时
nft add element inet firewall blocked_ips { 1.2.3.4 timeout 1h }
# 查看被封禁的 IP
nft list set inet firewall blocked_ips
# 重载规则
systemctl restart nftables
```
Config: `/etc/nftables.conf`
### Layer 3: SSH Hardening
| Setting | Value |
|---------|-------|
| Authentication | Public key only (1Password) |
| Root login | Disabled |
| Max auth tries | 10 |
| Ciphers | chacha20-poly1305, aes256-gcm |
| KEX | sntrup761x25519, curve25519 |
| Fail2ban | 3 failures -> 1h ban (nftables backend) |
| AllowUsers | `scanner-admin kai` |
| Forwarding | DisableForwarding yes |
| Banner | /etc/issue.net |
Config: `/etc/ssh/sshd_config.d/99-scanner-hardening.conf`
### Layer 4: System Hardening
**Kernel (sysctl):**
- IP forwarding disabled
- ICMP redirects ignored
- SYN flood protection (syncookies)
- Reverse path filtering (anti-spoofing)
- Martian packet logging
- ASLR enabled, ptrace restricted
**Auditing:**
- `auditd`: 监控 /etc, auth, sudo, network, cron, scanner config 变更
- `AIDE`: 文件完整性检查 (daily 3am)
- `Lynis`: 安全审计 (weekly Sunday 2am)
- Core dumps disabled
Config: `/etc/sysctl.d/99-security-scanner.conf`, `/etc/audit/rules.d/scanner-audit.rules`
## Installed Tools
| Tool | Purpose | Usage |
|------|---------|-------|
| **OpenVAS/Greenbone** | 全面漏洞管理平台 | Web UI `https://192.168.68.84` (nginx -> gsad) |
| **Nmap** | 网络发现、端口扫描 | `nmap -sV --script=safe <target>` |
| **Nuclei** | 快速漏洞扫描 (模板驱动, SHA256 校验) | `nuclei -u <url>` |
| **httpx** | HTTP 探测、服务识别 (SHA256 校验) | `httpx -l hosts.txt` |
| **Nikto** | Web 服务器扫描 | `nikto -h <url>` |
| **testssl.sh** | TLS/SSL 安全检测 | `testssl <host:port>` |
| **NetExec** | SMB/RDP/WinRM 评估 | `netexec smb <target>` |
## Scanning Workflow
### Quick Scan (Automated)
```bash
/opt/scans/scripts/quick-scan.sh 192.168.68.0/24
```
Steps:
1. Host discovery (`nmap -sn`)
2. Port scan top 1000 (`nmap -sV --script=safe`)
3. HTTP service detection (`httpx`)
4. Vulnerability scan (`nuclei` medium/high/critical)
Results saved to `/opt/scans/results/<timestamp>/`
### Full Scan (OpenVAS)
1. Start containers: `cd /opt/greenbone && docker compose up -d`
2. Wait for feed sync (first time: 30-60 min)
3. Access Web UI: `https://192.168.68.84` (self-signed cert, accept warning)
4. Create Target -> Create Task -> Run Scan
5. Export report (PDF/CSV)
### Targeted Scans
```bash
# TLS/SSL audit
testssl 192.168.68.10:443
# Web server scan
nikto -h https://192.168.68.10
# SMB assessment
netexec smb 192.168.68.0/24
# Full port scan single host
nmap -sV --script=safe -p- -T4 192.168.68.10
```
## Monitoring
| Check | Schedule | Tool |
|-------|----------|------|
| Disk usage | Every 6h | `/opt/scans/scripts/check-disk.sh` |
| OpenVAS health | Every 30min | `/opt/scans/scripts/check-openvas.sh` |
| File integrity | Daily 3am | AIDE |
| Security audit | Weekly Sun 2am | Lynis |
| Old results cleanup | Weekly Sun 4am | find (maxdepth 1, >90 days, logged) |
| Nuclei templates | Weekly Mon 5am | `nuclei -update-templates` |
| Daily summary | Daily | Logwatch |
Logs: `/var/log/scanner/`
## Deployment
### Method: Cloud-Init Template Clone
1. PVE Web UI -> 选中 Cloud-Init 模板 -> 右键 Clone (Full Clone)
2. Cloud-Init 标签设置: user `kai`, SSH key (1Password), IP `192.168.68.84/24`
3. Hardware: 4C / 8G / 80G disk
### Copy Scripts to VM
```bash
scp -r C:/Users/yaoji/git/pve-security-scanner/vm kai@192.168.68.84:/tmp/scanner-setup
```
### Execute (in order)
```bash
# 设置环境变量
export SCANNER_ADMIN_IPS='192.168.68.0/24'
export SCANNER_DNS_SERVERS='192.168.68.1'
# 一键执行(或逐个执行)
sudo -E bash /tmp/scanner-setup/setup.sh
# 或逐个:
sudo -E bash /tmp/scanner-setup/01-system-harden.sh
sudo -E bash /tmp/scanner-setup/02-firewall.sh
sudo -E bash /tmp/scanner-setup/04-install-tools.sh # Docker 先装
sudo usermod -aG docker scanner-admin # 补加 docker 组
sudo -E bash /tmp/scanner-setup/03-ssh-harden.sh # 再跑 SSH
sudo -E bash /tmp/scanner-setup/05-monitoring.sh
sudo -E bash /tmp/scanner-setup/06-docker-autostart.sh
# OpenVAS 密码
cd /opt/greenbone && docker compose up -d
docker compose exec -u gvmd gvmd gvmd --user=admin --new-password=<PASSWORD>
# 重启
sudo shutdown -r now
```
### Post-Deployment Checklist
- [x] VM created from cloud-init template
- [x] SSH key configured (1Password, ed25519)
- [x] System hardening (01) applied
- [x] nftables firewall (02) applied - ADMIN_IPS = 192.168.68.0/24
- [x] Docker installed (Ubuntu source fix applied)
- [x] SSH hardening (03) applied - AllowUsers scanner-admin kai, MaxAuthTries 10
- [x] Security tools (04) installed
- [x] Monitoring (05) configured
- [x] Docker autostart (06) enabled - systemd greenbone-openvas.service
- [x] OpenVAS Web UI accessible - `https://192.168.68.84` (nginx port 443+9392)
- [ ] Feed sync complete (in progress, ~30-60 min)
- [ ] First quick scan completed
- [ ] `lynis audit system` score verified
## Deployment Notes
### Issues Encountered
1. **Docker source wrong distro**: 脚本原写 Debian 源,实际系统是 Ubuntu 24.04 (noble)。已修复为自动检测 `${ID}` (debian/ubuntu)
2. **nftables rate limit 不能用 define**: `define SSH_RATE_LIMIT = 5/minute` 语法错误nftables 不支持 define 变量做 rate limit改为内联值
3. **`iif "docker0"` 要求接口已存在**: Docker 未安装时 docker0 不存在导致报错,改为 `iifname "docker*"` 通配
4. **03-ssh-harden.sh docker 组不存在**: 需先运行 04 安装 Docker再运行 03 创建用户
5. **SSH `sshd.service` not found**: Ubuntu 用 `ssh.service`,已修复为 `ssh 2>/dev/null || sshd`
6. **AllowUsers 只有 scanner-admin**: cloud-init 用户 `kai` 被拒绝登录,已加入 AllowUsers
7. **MaxAuthTries 3 太小**: 1Password 管理多个 key 逐个尝试会超限,改为 10
8. **ADMIN_IPS 设成 VM 自身 IP**: 导致工作站无法 SSH改为整网段 `192.168.68.0/24`
9. **Greenbone 镜像名变更**: `greenbone/xxx` 已迁移到 `registry.community.greenbone.net/community/xxx`,架构改为 nginx + gsad + gsa 分离
10. **nginx 9392 端口重定向到 443**: 需同时暴露 443 端口docker-compose 已加 `0.0.0.0:443:443`
### Recommended Execution Order (revised)
01 -> 02 -> 04 (Docker) -> 03 (SSH, needs docker group) -> 05 -> 06
## Scripts Location
Repo: https://git.colacoder.com/kai/pve-security-scanner
```
pve-security-scanner/
├── pve/
│ ├── create-vm.sh # VM creation (idempotent)
│ └── firewall.sh # PVE-level firewall (env var guard)
├── vm/
│ ├── setup.sh # One-click ordered execution
│ ├── 01-system-harden.sh # OS hardening
│ ├── 02-firewall.sh # nftables rules
│ ├── 03-ssh-harden.sh # SSH + fail2ban
│ ├── 04-install-tools.sh # Security tools (auto-detect distro)
│ ├── 05-monitoring.sh # Logging + cron
│ └── 06-docker-autostart.sh # OpenVAS systemd service
└── README.md
```
## Related
- [[Proxmox VE]]
- [[Home Network]]
- [[Security Best Practices]]