proxguard

Experimental

Proxmox VE CIS security auditor.

GitHub repo → self-hosted · run from source

CIS-backed rules

scored categories

100%

client-side, no data leaves the browser

WHAT IT DOES

ProxGuard is a browser-based Proxmox VE security auditor. Paste your actual config files (sshd_config, cluster.fw, user.cfg, storage.cfg, and the API token list) and it grades your security posture across six categories. Every rule traces back to a CIS Benchmark or a Proxmox-specific standard, and every failed check includes remediation steps and a copy-paste shell script to fix it. It also visualizes firewall rules with drag-drop reordering and automatic conflict detection, so you can spot shadowing, contradictions, and unreachable rules before they cause problems.

The entire audit runs client-side in your browser. No config data is sent anywhere. The app is React 19 + TypeScript on Vite, with Zustand for state and Recharts for the score and radar visualizations.

Status: experimental. ProxGuard is a self-hosted, browser-based app, not an MCP server, so there is no AI-client config block. It is not published to npm or any other registry, you run it from source.

HOW SCORING WORKS

16 rules across 6 weighted categories. SSH and firewall carry the most weight because they are the most common attack surface on internet-facing Proxmox hosts. Each failed rule deducts from its category by severity (Critical -40, High -25, Medium -10, Info -5), and the weighted total maps to a letter grade: A (90+), B (80-89), C (70-79), D (60-69), F (under 60).

SSH · 25%

Root login, password auth, default port, max auth tries.

Firewall · 25%

Cluster firewall enabled, default policies, rule existence.

Authentication · 20%

2FA enrollment, root API tokens, overpermissive roles.

Container · 15%

Privileged containers, nesting enabled.

Storage · 10%

NFS root_squash, CIFS permissions.

API · 5%

Admin token privileges, token expiration.

FEATURES

Security audit engine

Paste config files, get a letter grade (A-F) with detailed findings.

CIS Benchmark rules

16 rules mapped to CIS Debian 11 and Proxmox-specific (PVE-*) standards.

Remediation scripts

Every failed check ships copy-paste shell commands to fix the issue.

Firewall visualization

List view of all rules with color-coded direction indicators.

Conflict detection

Five types: shadowing, contradictions, unreachable, port overlap, protocol mismatch.

Drag-drop reordering

Reorder rules by dragging and see the priority impact instantly.

Audit trail

Immutable changelog showing who changed what and when.

Demo configs

Insecure (F), partial (C), and hardened (A) samples to try without a cluster.

RUNNING IT

Prerequisites: Node.js 20+. Clone the repo, install, and start the Vite dev server. There is no backend to configure; everything runs in the browser.

$ git clone https://github.com/solomonneas/proxguard.git

$ cd proxguard

$ npm install

$ npm run dev

Open http://localhost:5190, go to the Audit tab, and paste your config files (or load one of the built-in demo configs). ProxGuard parses each file, runs all 16 rules, and generates the report. No data leaves your machine.