Proxmox

Protect ProxMox & TrueNAS Scale w/ CrowdStrike

Joshua Martin

3 min read
Protect ProxMox & TrueNAS Scale w/ CrowdStrike
Photo by Towfiqu barbhuiya / Unsplash

In the state of Oregon, education institutions with PACE insurance (and many others) are beginning to require not just antivirus, but antivirus with Endpoint Detection and Response (EDR). We chose to go with Crowdstrike, which, despite having the world's cringiest product names, actually provides a cheap, well-functioning base product in their Falcon antivirus. It also comes with an agent for nearly every OS you'd want it on, and the agent runs flawlessly on ProxMox and TrueNAS Scale. Since both are based on Debian, the install process for both is identical.

Once you have an account, the agents can be downloaded via the Hamburger menu in the top left > Host setup and management > Sensor Downloads
At the top of the page, copy your Customer ID. You will need it for the install later.
There are separate downloads for Ubuntu and Debian based distros. Though they are both .deb files (and in all honesty they will both likely work on most platforms) for Truenas Scale & Proxmox, you're going to want the Debian version.

You now need to get that file over to your TrueNAS/ProxMox host. The easiest way to do that, especially on headless machines, is probably SCP. SCP uses SSH to transfer files securely. I didn't have to install it manually on any of our debian machines, but if need be it's as simple as:

sudo apt update && sudo apt install scp

Open a terminal and use scp like so:

scp /[Path-To]/falcon-sensor.deb [username]@[Server-IP]:/[Destination-Path]

Which might look something like

scp /home/user/Download/falcon-sensor.deb root@10.0.10.10:/root/

Assuming SSH is set up correctly you'll be asked for a password, then your file will be dropped in /root/falcon-sensor.deb

Now pop over to the server you transferred the file to, and run the following:

First, update your package repos:

sudo apt update

Now install the random dependency before it screams at you:

sudo apt install libnl-genl-3-200

Now install the actual Sensor itself:

sudo dpkg -i /[Path-To]/falcon-sensor.deb

Now configure the Falcon Sensor to attach to your account:

sudo /opt/CrowdStrike/falconctl -s --cid=YOUR-CUSTOMER-ID-GOES-HERE

Now enable and start the service:

sudo systemctl start falcon-sensor
sudo systemctl enable falcon-sensor

Done! Now head back to the Host Management section of the Crowdstrike Dashboard, and after a few minutes you should see Debian appear under the list of OS to filter by:

Our hosts, present, and pulling default policy.

By default there are no firewall rules, but the Antivirus is set pretty aggressively.

I may dig in to optimal settings for ProxMox in another post, but for now you can tweak the policies to your hearts content! Just try not to break anything.

Edit: I did encounter one oddball issue. Having the Crowdstrike falcon-sensor service running prevented me from successfully upgrading TrueNAS Scale. It's a simple command to shut it off, after which you can upgrade, reboot, and it will happily start itself up again.

sudo systemctl stop falcon-sensor

Read more