Hey, I’ve got a bunch of services all running in their own containers/vms on Proxmox. All of these have their own ips that are accessible from my network.

I also have a container with a reverse proxy, which acts as a gateway for access to these services (it’s IP is the only one allowed to go through the firewall of each service).

These services have http servers, no encryption. Could someone on my network listen to comms between a service and my reverse proxy?

Would have to play around with VLANs if that’s the case…

Thanks

  • scarecrow365@reddthat.com
    link
    fedilink
    English
    arrow-up
    4
    arrow-down
    1
    ·
    1 year ago

    Unless someone has physical access to the ports/switch that the traffic flows through, they would not be able to see anything besides broadcast/multicast traffic if they were just snooping with Wireshark. The internal switch of proxmox and any hardware switch you have will forward unicast traffic to the ports those Mac’s reside on, so without port mirrors setup, no one but you should be able to see that traffic.

    • LufyCZ@lemmy.worldOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      I’ve got firewall set up, services are only accessible through the reverse proxy, was more concerned about something like logging into keycloak and having the password leaked with MitM or another attack of the sort.

      • tvcvt@lemmy.ml
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        Gotcha. That makes sense. My own thoughts are that if you mitigate all of the attack surfaces you can, it ends up coming down to the robustness of the particular app. I’ve never played with keycloak, so can’t speak intelligently about that, but I’ve got authentik setup in a similar configuration. I limit access so the only way in is via either the reverse proxy or the PVE console and basically keep an ear out for security and software updates.

        As I type this, it occurs to me that perhaps there’s a fail2ban integration that could be added to limit credential guessing at the keycloak webui.

        • LufyCZ@lemmy.worldOP
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          I’ve got 2FA set up and required, so I’m not too worried about brute force attacks.