Go to file

Yaojia Wang 5e49b977ab feat: initial setup for PVE security scanner VM

Scripts for deploying a hardened internal network security scanner on Proxmox VE:
- PVE-level firewall and VM creation
- System hardening (sysctl, auditd, AIDE)
- nftables firewall with dynamic IP blocking
- SSH hardening with fail2ban
- Security tools (OpenVAS, Nmap, Nuclei, httpx, Nikto, testssl, NetExec)
- Monitoring, logging, and Docker autostart

2026-03-08 20:21:29 +01:00

pve

feat: initial setup for PVE security scanner VM

2026-03-08 20:21:29 +01:00

feat: initial setup for PVE security scanner VM

2026-03-08 20:21:29 +01:00

README.md

feat: initial setup for PVE security scanner VM

2026-03-08 20:21:29 +01:00

README.md

PVE Security Scanner

Internal network security scanning VM for Proxmox VE.

Structure

pve-security-scanner/
├── pve/                    # Proxmox host-level config
│   ├── create-vm.sh        # One-click VM creation
│   └── firewall.sh         # PVE firewall rules
├── vm/                     # VM internal config
│   ├── 01-system-harden.sh # OS hardening
│   ├── 02-firewall.sh      # nftables firewall
│   ├── 03-ssh-harden.sh    # SSH hardening
│   ├── 04-install-tools.sh # Security tools
│   └── 05-monitoring.sh    # Logging and monitoring
└── README.md

Deployment

On PVE host: run pve/create-vm.sh to create the VM
On PVE host: run pve/firewall.sh to apply PVE-level firewall
SSH into VM, run scripts in vm/ directory in order (01 -> 05)

Network Design

Scanner VM sits on the management VLAN / main bridge
Allowed to reach all internal subnets for scanning
Outbound internet restricted (only for vuln DB updates)
Inbound restricted to SSH + Web UI from admin IPs only