<![CDATA[Xen Orchestra on publicly accessible VM]]>Hi,

I am deploying Xen Orchestra on an OVH cloud VPS to managed multiple Hosts at different locations. Could you please tell me if the login interface has any brute force attack prevention built in? Is it secure enough to be publicly accessible? I have already set 2FA but couldn't see any option for FIDO2 or passwordless authentication.

Thank you

]]>https://xcp-ng.org/forum/topic/9975/xen-orchestra-on-publicly-accessible-vmRSS for NodeTue, 14 Apr 2026 11:50:03 GMTFri, 15 Nov 2024 14:07:00 GMT60<![CDATA[Reply to Xen Orchestra on publicly accessible VM on Fri, 22 Nov 2024 12:44:49 GMT]]>@adriangabura This is a production server. This is also the only one we have on the cloud (OVH) for all our others hosts we use a private network behind our firewall and login via OpenVPN. But OVH we are struggling to come to a good design especially since version 8.3 now connect you to the web interface directly. How do we change port or block it?

]]>https://xcp-ng.org/forum/post/86112https://xcp-ng.org/forum/post/86112Fri, 22 Nov 2024 12:44:49 GMT<![CDATA[Reply to Xen Orchestra on publicly accessible VM on Wed, 20 Nov 2024 18:26:18 GMT]]>@fred974 Is this for production, or non-production?

]]>https://xcp-ng.org/forum/post/86058https://xcp-ng.org/forum/post/86058Wed, 20 Nov 2024 18:26:18 GMT<![CDATA[Reply to Xen Orchestra on publicly accessible VM on Mon, 18 Nov 2024 15:36:27 GMT]]>@fred974 said in Xen Orchestra on publicly accessible VM:

Thank you all. I could set Xen Orchestra vi vpn tunnel, you all righ so I'll do that. But how do I stop access to the web interface http://serverip ?

Run a VM with a firewall (pfSense, Vyos, OpnSense etc.) and put the public interface as WAN in the VM and control vpn access there?

]]>https://xcp-ng.org/forum/post/85953https://xcp-ng.org/forum/post/85953Mon, 18 Nov 2024 15:36:27 GMT<![CDATA[Reply to Xen Orchestra on publicly accessible VM on Mon, 18 Nov 2024 13:16:54 GMT]]>Thank you all. I could set Xen Orchestra vi vpn tunnel, you all righ so I'll do that. But how do I stop access to the web interface http://serverip ?

]]>https://xcp-ng.org/forum/post/85944https://xcp-ng.org/forum/post/85944Mon, 18 Nov 2024 13:16:54 GMT<![CDATA[Reply to Xen Orchestra on publicly accessible VM on Sat, 16 Nov 2024 16:23:35 GMT]]>You can easily add some firewall rules as an additional layer and/or restrict to ssh-forwarded sessions

]]>https://xcp-ng.org/forum/post/85890https://xcp-ng.org/forum/post/85890Sat, 16 Nov 2024 16:23:35 GMT<![CDATA[Reply to Xen Orchestra on publicly accessible VM on Fri, 15 Nov 2024 19:25:56 GMT]]>Nothing is secure enough, for it depends on your requirements and scope. It's a very bad practice to open such interfaces to the public space. As a suggestion - SSH tunnel, site-to-site VPN. There are a lot of potential solutions, but as I said it all depends on your security policy.

]]>https://xcp-ng.org/forum/post/85869https://xcp-ng.org/forum/post/85869Fri, 15 Nov 2024 19:25:56 GMT<![CDATA[Reply to Xen Orchestra on publicly accessible VM on Fri, 15 Nov 2024 18:12:39 GMT]]>
  • Yes
  • No FIDO2 auth, you can however use OIDC and connect to a SSO provider with FIDO2 access.
    • ]]>    https://xcp-ng.org/forum/post/85863https://xcp-ng.org/forum/post/85863Fri, 15 Nov 2024 18:12:39 GMT