5e49b977ab
Scripts for deploying a hardened internal network security scanner on Proxmox VE: - PVE-level firewall and VM creation - System hardening (sysctl, auditd, AIDE) - nftables firewall with dynamic IP blocking - SSH hardening with fail2ban - Security tools (OpenVAS, Nmap, Nuclei, httpx, Nikto, testssl, NetExec) - Monitoring, logging, and Docker autostart
33 lines
1.1 KiB
Markdown
33 lines
1.1 KiB
Markdown
# PVE Security Scanner
|
|
|
|
Internal network security scanning VM for Proxmox VE.
|
|
|
|
## Structure
|
|
|
|
```
|
|
pve-security-scanner/
|
|
├── pve/ # Proxmox host-level config
|
|
│ ├── create-vm.sh # One-click VM creation
|
|
│ └── firewall.sh # PVE firewall rules
|
|
├── vm/ # VM internal config
|
|
│ ├── 01-system-harden.sh # OS hardening
|
|
│ ├── 02-firewall.sh # nftables firewall
|
|
│ ├── 03-ssh-harden.sh # SSH hardening
|
|
│ ├── 04-install-tools.sh # Security tools
|
|
│ └── 05-monitoring.sh # Logging and monitoring
|
|
└── README.md
|
|
```
|
|
|
|
## Deployment
|
|
|
|
1. On PVE host: run `pve/create-vm.sh` to create the VM
|
|
2. On PVE host: run `pve/firewall.sh` to apply PVE-level firewall
|
|
3. SSH into VM, run scripts in `vm/` directory in order (01 -> 05)
|
|
|
|
## Network Design
|
|
|
|
- Scanner VM sits on the management VLAN / main bridge
|
|
- Allowed to reach all internal subnets for scanning
|
|
- Outbound internet restricted (only for vuln DB updates)
|
|
- Inbound restricted to SSH + Web UI from admin IPs only
|