# PVE Security Scanner

Internal network security scanning VM for Proxmox VE.

## Structure

```
pve-security-scanner/
├── pve/                    # Proxmox host-level config
│   ├── create-vm.sh        # One-click VM creation
│   └── firewall.sh         # PVE firewall rules
├── vm/                     # VM internal config
│   ├── 01-system-harden.sh # OS hardening
│   ├── 02-firewall.sh      # nftables firewall
│   ├── 03-ssh-harden.sh    # SSH hardening
│   ├── 04-install-tools.sh # Security tools
│   └── 05-monitoring.sh    # Logging and monitoring
└── README.md
```

## Deployment

1. On PVE host: run `pve/create-vm.sh` to create the VM
2. On PVE host: run `pve/firewall.sh` to apply PVE-level firewall
3. SSH into VM, run scripts in `vm/` directory in order (01 -> 05)

## Network Design

- Scanner VM sits on the management VLAN / main bridge
- Allowed to reach all internal subnets for scanning
- Outbound internet restricted (only for vuln DB updates)
- Inbound restricted to SSH + Web UI from admin IPs only