YouTube: @connectedsecure | Twitter: @SecureConnected
A comprehensive security and maintenance tool for Proxmox LXC containers that automates updates, security checks, virus scanning, and network diagnostics.
This script provides an all-in-one solution for maintaining and securing Proxmox VE containers. It performs system updates, security audits, virus scanning, and network diagnostics on all running containers while providing detailed reports and optional notifications.
- π Comprehensive Security Checks: Scans all containers for security vulnerabilities, suspicious files, and unauthorized access attempts
- π¦ Virus Scanning: Built-in ClamAV integration for malware detection (uses host-based clamd for efficiency)
- π Smart Network Diagnostics: Automatically detects and attempts to fix container network issues, including DNS problems
- π¦ Container Updates: Safely updates all Debian/Ubuntu-based containers using
apt-get dist-upgrade
for proper dependency handling - πΎ Backup Functionality: Optional backups of containers before making changes
- βοΈ Flexible Execution Modes: Run full maintenance, security-only checks, or updates-only
- π£ Notification Options: Send detailed reports via Discord or email
- π§ββοΈ Interactive Setup: Easy-to-use wizard for first-time configuration
- π Detailed Logging: Comprehensive logs and summary reports for review
- π Kernel Update Detection: Identifies when host reboots are needed
- Proxmox VE 7.0 or higher
- Root access to the Proxmox host
- Internet connectivity for updates and virus definition downloads
- For email notifications:
- Configured mail system (mailutils package)
- SMTP setup for outbound mail
# Download the script
wget -O pvesecure https://raw.githubusercontent.com/yourusername/proxmox-tools/main/pvesecure
# Make it executable
chmod +x pvesecure
# Run it
sudo ./pvesecure
Simply run the script without arguments to use the interactive setup wizard:
sudo ./pvesecure
The wizard will guide you through selecting:
- Maintenance type (full, updates only, security only, virus scan only)
- Backup options
- Verbosity level
- Notification methods
For automated or scheduled runs, use command-line flags:
Options:
-v, --verbose Enable verbose output
-f, --full Run full maintenance (updates, security, virus scan)
-b, --backup Create backups before making changes
-u, --update-only Run only system updates
-s, --security-only Run only security checks and virus scan
-vs, --virus-scan-only Run only virus scan
-d, --discord Enable Discord notifications
-e, --email EMAIL Send email report to specified address
-h, --help Display this help message
Click to see example commands
# Run full maintenance with Discord notifications
sudo ./pvesecure -f -d
# Run only virus scanning with email report
sudo ./pvesecure -vs -e [email protected]
# Run updates only with verbose output and backups
sudo ./pvesecure -u -v -b
When running security scans that may take a long time to complete, you'll need a way to keep the process running even if you disconnect from your SSH session.
# Install tmux if not already present
apt install tmux -y
# Create a named session for the security scan
tmux new-session -s pvesecure_scan
# Now run the script in the tmux session
./pvesecure
# To detach while keeping the process running:
# Press Ctrl+B, then D
To reconnect to your session later:
# List available sessions
tmux list-sessions
# Reattach to your session
tmux attach-session -t pvesecure_scan
Advanced Security Options
For enhanced security in sensitive environments:
# Create a tmux session with restricted socket permissions
mkdir -p ~/.tmux_sockets
tmux -S ~/.tmux_sockets/pvesecure_socket new-session -s pvesecure_scan
chmod 700 ~/.tmux_sockets/pvesecure_socket
# To reattach later:
tmux -S ~/.tmux_sockets/pvesecure_socket attach-session -t pvesecure_scan
Alternative methods (not as secure as tmux):
Using Screen:
apt install screen -y
screen
./pvesecure
# Press Ctrl+A, then D to detach
# To reconnect: screen -r
Using nohup:
nohup ./pvesecure > pvesecure_output.log 2>&1 &
# Check status: ps aux | grep pvesecure
# View output: cat pvesecure_output.log
Discord Notifications
- Create a Discord webhook in your server (Server Settings β Integrations β Webhooks)
- Run the script with the
-d
flag or select Discord in the interactive menu - Enter your webhook URL when prompted (it will be saved for future use)
Email Notifications
-
Install the required package on your Proxmox host:
apt-get install mailutils
-
Configure your mail system (if not already set up):
dpkg-reconfigure exim4-config
For simple setups:
- Choose "internet site" and follow the prompts
For connection through an external provider:
- Choose "mail sent by smarthost; no local mail"
- Configure your SMTP server details when prompted
-
Run the script with the email option:
sudo ./pvesecure -e [email protected]
Security Checks
The script performs the following security checks on each container:
- Login Attempt Analysis: Scans auth.log for suspicious login attempts
- Rootkit Detection: Basic checks for signs of rootkits
- Open Ports: Identifies unexpected open ports and services
- File Permission Issues: Detects incorrect permissions on sensitive files
- Suspicious Processes: Looks for unusual running processes
Virus Scanning Architecture
The script uses an efficient approach to virus scanning:
- ClamAV is installed once on the Proxmox host (not on each container)
- The clamd daemon runs on the host
- Container filesystems are bind-mounted to the host
- The host's clamdscan scans the mounted filesystem
- Results are collected and reported
This architecture provides several advantages:
- Lower resource usage (single virus database in memory)
- Faster updates to virus definitions
- Up-to-date scanning engine for all containers
- No need to modify containers or install software inside them
Update Methodology
For container updates, the script:
- Uses
apt-get update
to refresh package lists - Uses
apt-get dist-upgrade
(not regular upgrade) to properly handle dependency changes - This follows Proxmox's official recommendation for system updates
The script generates two types of logs:
-
Summary Report: A high-level overview of the maintenance run, including:
- Number of containers processed
- Update successes and failures
- Network issues detected
- Virus scan results
-
Detailed Log: In-depth information about each container, including:
- Command outputs
- Error messages
- Security check details
- Network diagnostics
Logs are stored in /var/log/proxmox_maintenance/
with timestamps.
Setting up Cron Jobs
To run the script automatically, add it to your crontab:
# Edit crontab
crontab -e
# Add a line to run weekly at 3 AM on Sundays
0 3 * * 0 /path/to/pvesecure -f -d
Example schedules:
-
Daily security-only scan at midnight:
0 0 * * * /path/to/pvesecure -s -d
-
Weekly full maintenance with backups on Saturday at 2 AM:
0 2 * * 6 /path/to/pvesecure -f -b -d
-
Monthly virus scan on the 1st at 4 AM:
0 4 1 * * /path/to/pvesecure -vs -e [email protected]
Advanced settings can be modified at the top of the script:
- Log retention period
- Scan exclusion patterns
- Security check severity levels
- Network timeout values
Contributions are welcome! Please feel free to submit a Pull Request.
This script is released under the MIT License. See the LICENSE file for details.
This script makes changes to your Proxmox system and containers. It's recommended to test it in a non-production environment first and to enable the backup option during initial runs.