Reference · Baseline

Homelab Audit

Proxmox VE 9.1.1 · host 192.168.5.121 · read-only sweep, 2026-06-15

This is the factual floor the whole curriculum is built on. Each lesson targets a finding here. It's meant to be printed and re-checked — re-run the audit after each lesson and watch the severities turn green. Findings are ranked by blast radius × how much it teaches, not just raw severity.

Findings, ranked

Critical A · Zero backups

No vzdump jobs (/etc/pve/jobs.cfg absent), no Proxmox Backup Server, empty /var/lib/vz/dump/. All 13 guests are unrecoverable — a single disk failure, bad update, or fat-fingered pct destroy loses everything.

In the field: this is a failed DR/BCP posture — an RPO of ∞ and an RTO of "rebuild from scratch." → Lesson 1.

High B · Host firewall disabled

pve-firewall: disabled. No cluster.fw or host.fw; only the 16 default bridge/NAT iptables rules. Nothing enforces which networks may reach the host.

In the field: no network segmentation / no default-deny. → spine #2.

High C · SSH allows root + password login

PermitRootLogin yes and password authentication not disabled. Direct root over password is the single most-attacked door on the internet.

In the field: violates least-privilege & key-based identity. → spine #3.

High D · Transmission container is privileged

CT102 (unprivileged: 0) runs Docker + a public-internet VPN download client — the most exposed guest on the box — yet has the weakest isolation. A container escape here is a root-on-host escape.

In the field: the blast-radius problem — your riskiest workload has your weakest containment. → spine #4.

Medium E · rpcbind exposed on all interfaces

rpcbind listening on 0.0.0.0:111 (IPv4 + IPv6). Classic unnecessary attack surface and a known reflection/DDoS amplifier — and almost certainly unused.

In the field: attack-surface reduction — every open port is a liability you must justify. → spine #2/#4.

Medium F · 174 packages behind (42 security)

No unattended-upgrades installed; 174 upgradable, 42 of them security updates. Patch drift is how known, already-fixed CVEs become your breach.

In the field: vulnerability management & patch SLAs. → spine #5.

Medium G · No fail2ban

No brute-force protection on the SSH/web doors. With root+password login (C) still open, nothing slows a guesser.

In the field: brute-force defence / rate-limiting. → bundled with spine #3.

Medium H · No disk redundancy

Single SSD (OS + thin pool) and single NVMe (954 GB media). Both SMART PASSED, but no RAID/ZFS mirror — one drive death = data loss. Thin pool at 72% (warns at 75%).

In the field: redundancy ≠ backup; capacity headroom. → spine #6.

Low–Med I · Capacity pressure

Load avg ~4.75 on 4 cores; only 396 MiB RAM free with 2.2 GiB swap in use (Plex transcoding visible in top). Headroom is thin under load.

In the field: capacity planning & observability. → spine #6.

Already done right

Acknowledge these — they're solid:

No raw inbound ports. External access is via Cloudflare Tunnel (outbound-only) — no port-forwards on the router.
Tailscale for admin remote access — a private mesh instead of an exposed management plane.
Mostly unprivileged LXCs (12 of 13) with consistent static IPs.
Hourly thin-pool monitoring + email alerts, and weekly fstrim cron. Real ops hygiene.
SMART healthy on both disks.

All lessons → Glossary Mission

Generated from a read-only audit. Re-run before each lesson to track progress.