Xen Orchestra on publicly accessible VM
-
Hi,
I am deploying Xen Orchestra on an OVH cloud VPS to managed multiple Hosts at different locations. Could you please tell me if the login interface has any brute force attack prevention built in? Is it secure enough to be publicly accessible? I have already set 2FA but couldn't see any option for FIDO2 or passwordless authentication.
Thank you
-
- Yes
- No FIDO2 auth, you can however use OIDC and connect to a SSO provider with FIDO2 access.
-
Nothing is secure enough, for it depends on your requirements and scope. It's a very bad practice to open such interfaces to the public space. As a suggestion - SSH tunnel, site-to-site VPN. There are a lot of potential solutions, but as I said it all depends on your security policy.
-
You can easily add some firewall rules as an additional layer and/or restrict to ssh-forwarded sessions
-
Thank you all. I could set Xen Orchestra vi vpn tunnel, you all righ so I'll do that. But how do I stop access to the web interface http://serverip ?
-
fred974 said in Xen Orchestra on publicly accessible VM:
Thank you all. I could set Xen Orchestra vi vpn tunnel, you all righ so I'll do that. But how do I stop access to the web interface http://serverip ?
Run a VM with a firewall (pfSense, Vyos, OpnSense etc.) and put the public interface as WAN in the VM and control vpn access there?
-
fred974 Is this for production, or non-production?
-
adriangabura This is a production server. This is also the only one we have on the cloud (OVH) for all our others hosts we use a private network behind our firewall and login via OpenVPN. But OVH we are struggling to come to a good design especially since version 8.3 now connect you to the web interface directly. How do we change port or block it?
