Skip to content
ProtocolPorts

Port reference

Port 8006 (TCP) – Proxmox VE Web UI

Default HTTPS port for the Proxmox VE web management interface, controlling all virtual machines and containers on the host.

tcpRegisteredCommonly attacked

Default state

Open on Proxmox VE hosts; serves HTTPS, typically with a self-signed certificate, bound to all interfaces.

Common attacks

  • Credential brute force and password spraying against the web login
  • Cleartext/weak-cert interception and MITM on self-signed TLS
  • Exploitation of Proxmox VE / API vulnerabilities for auth bypass or RCE
  • Full host and VM takeover after a successful login

Hardening

  • Never expose 8006 to the internet; restrict to a management VLAN, VPN, or bastion
  • Use strong unique credentials, MFA/TOTP, and Linux PAM or two-factor realms
  • Replace the self-signed certificate with a trusted one and verify TLS
  • Apply least-privilege roles via the Proxmox permission system
  • Keep Proxmox VE patched and enable the built-in firewall and fail2ban

nmap snippet

nmap -p8006 --script ssl-cert,http-title,http-auth <target>

Replace <target> with the host or range you're authorized to scan.

What runs on port 8006?

Port 8006 is the default HTTPS port for the Proxmox VE web management interface, reachable at https://host:8006/. Proxmox VE is an open-source virtualization platform, and this UI controls every virtual machine and container on the host — along with storage, networking, backups, and the host configuration itself. It usually ships with a self-signed certificate.

Why it matters for security

The Proxmox UI is the control plane for an entire hypervisor, so a compromise of 8006 means takeover of all VMs and containers on the host — and often the underlying Linux system as root. Because Proxmox binds the interface to all addresses and uses a self-signed certificate by default, exposed and weakly-protected instances are common and high-value targets.

How it's attacked

Attackers brute-force and password-spray the web login and exploit the self-signed certificate for MITM on poorly segmented networks. They chain known Proxmox VE or API vulnerabilities for authentication bypass or remote code execution. After a successful login they gain full host and VM control, enabling data theft, ransomware, or pivoting across guests.

Hardening checklist

Never expose 8006 to the internet — restrict it to a management VLAN, VPN, or bastion. Use strong unique credentials with MFA/TOTP and PAM or two-factor realms, replace the self-signed certificate with a trusted one, and apply least-privilege roles through Proxmox's permission system. Keep Proxmox patched, enable the built-in firewall and fail2ban. The nmap snippet inspects the certificate, title, and auth on systems you are authorized to test.

Related ports

Port 22Port 443Port 3128Port 5900

Frequently asked questions

What is port 8006 used for?
It is the default HTTPS port for the Proxmox VE web management interface, reachable at https://host:8006/. From it an administrator controls every virtual machine, container, storage pool, and the host itself.
Is it safe to expose port 8006 to the internet?
No. The Proxmox UI controls all VMs and containers on the host, so a compromise is a full virtualization takeover. Restrict 8006 to a management VLAN, VPN, or bastion, enforce MFA, replace the self-signed certificate, and keep Proxmox patched.