Proxmox Virtual Environement, allows to create containers based on LXC. These containers are lighter than Virtual machines.

Prerequisites : an USB on which the Proxmox ISO is flashed and a host which will be the server.

Installation

Put the USB key in the USB port and boot the PC on the key to start the installation. A window appears with the option « Install Proxmox VE », select them.

On the next page, accept the license.

Select your country to have the right keyboard settings, confirm, then write the root’s password, which will be use to access to the web interface, and an email address.

Then, others settings, like the FQDN, the network, the netmask and the name of the server are asked.

In my way, this server is on my home network, so it will have an address from the livebox, which start in 192.168.1.X /24. The gateway and the DNS will be the livebox.

After have click on Next, check the summary and start the installation.

Once the installation is ended, the server reboot and ask to remove the USB key.

Once the installation is ended, the server reboot and ask to remove the USB key. Now, you have to connect on the web interface thanks to the IP address (which was set before) and the port 8006, like that: https://<Server_IPaddress>:8006.

Use root’s credentials.

Welcome !!!

Server configuration ans protection.

In the first time, we will configure the sources so that the updates are done from the repositories « no-subscription ».

In the directory /etc/apt/sources.list.d edit the file pve-enterprise.list. Put in comment the line.

Create the file pve-no-subscription, insert the following lines.

deb http://ftp.debian.org/debian bullseye main contrib
deb http://ftp.debian.org/debian bullseye-updates main contrib

# PVE pve-no-subscription repository provided by proxmox.com,
# NOT recommended for production use
deb http://download.proxmox.com/debian/pve bullseye pve-no-subscription

# security updates
deb http://security.debian.org/debian-security bullseye-security main contrib

Update the server

apt update
apt upgrade -y

Configuration of /etc/sysctl.conf: insert the lines:

net.ipv4.ip_forward = 1
net.ipv6.conf.default.forwarding = 1
net.ipv6.conf.all.forwarding = 1
net.ipv4.conf.default.proxy_arp = 0
# Enables source route verification
net.ipv4.conf.all.rp_filter = 1
# Enables the magic-sysrq key
kernel.sysrq = 1
# We do not want all our interfaces to send redirects
net.ipv4.conf.default.send_redirects = 1
net.ipv4.conf.all.send_redirects = 0
#Blocage ICMP
net.ipv4.icmp_echo_ignore_all=1

Load the configuration.

sysctl -p

Then, we will configure the firewall to allow connections from the server, block the connections from the Internet and perform a port forwarding for the containers.

Copy firewall_Host.sh and MyNatRules.config in the directory /etc/init.d.

firewall_Host.sh*

#! /bin/bash
### BEGIN INIT INFO
# Provides:       my-start-script
# Required-Start:    \$local_fs \$syslog
# Required-Stop:     \$local_fs \$syslog
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: starts my-start-script
# Description:       starts my-start-script using start-stop-daemon
### END INIT INFO


# script /etc/firewall_HOST.sh  (mode 700 - root)
# Valable pour tous les HNs (Fronts et Backs) de l'infra.
##############################################################
###			ATTENTION			###### 
###  Les règles diffèrent selon qu'on soit sur un Host	###### 
###  de type frontal ou backend. Règles nat différentes	###### 
###  et pas de trafic HTTP sur les backs, notamment	######
###							######
###           LIGNES CONCERNEES = 84 à 102		######
###                                                     ######
##############################################################

MyNatRules.config*

#!/bin/bash

## Rules for the CT 100

An example of rules for the container n°100. To add rules, copy – paste of the lines and change the destination ports for each CT.

Change the rights to allow files to be executed.

chmod 600 MyNatRules.config 
chmod 700 firewall_Host.sh

In firewall_Host.sh change the ssh port of the server. This is more secure. The port 22 is the default port and is scanned during an attack. When you use a different port, higher than 1024, it’s more complicated to find out which is the right port. The ports from 10,000 to 20,000 are used in dynamic allocation, it is wise to choose a port between 20,000 and 65,536.

Make the same change in /etc/ssh/sshd_config

Restart the ssh service and the firewall

service ssh restart
/etc/init.d/./firewall_Host.sh

List the rules of the firewall:

iptables -L

Add user and disable root login.

We will disable the connection ssh for the root login. But, we need to have an access to the server. So, create a new user.

adduser <nom_user>

When the user is created, add him to the sudo group. If the command is not already installed, add it.

apt install sudo
usermod -aG sudo <nom_user>

Disable the root login in /etc/ssh/sshd_config

permitloginroot no

In this file, uncomment the two following lines:

PubkeyAuthentication yes
AuthorizedKeysFile 

In your local computer, create a pair of keys. (One private key and one public key).

ssh-keygen -t ed25519

In /home/user, make a directory which call .ssh, then create a file authorized_keys. In this file paste the public key.

Change sshd_config to disable authentication with a password and restart the ssh service.

# In the file sshd_config
PasswordAuthentification no

# restart of the ssh service
service ssh restart

To connect to the server, use the command:

ssh -p <n°port> -i <path_and_name_private_key> <user>@<IP_address_server>

Configuration VMBR1

The server is secure, now, we will configure the VMBR1 so that the future containers communicate with the outside.

Make a copy of the file /etc/network/interfaces (this copy is used as a backup), edit the file and add the following lines:

auto vmbr1
iface vmbr1 inet static
	address 192.168.1.254/24
	bridge_ports none
	bridge_stp off
	bridge_fd 0
	post-up echo 1 > /proc/sys/net/ipv4/ip_forward
	post-up iptables -t nat -A POSTROUTING -s '192.168.1.0/24' -o vmbr0 -j MASQUERADE
	post-down iptables -t nat -D POSTROUTING -s '192.168.1.0/24' -o vmbr0 -j MASQUERADE

Modification in the file /etc/init.d/firewall_Host.sh

# In the section DEBUT DES REGLES
# to the lines:
### On NAT par la SOURCE toutes les connexions sortantes des CTs
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE

# change the address of the network depending on the network of the VMBR1

Now, configuration of the firewall to start automatically. When you are placed in the directory /etc/init.d/ type the command:

update-rc.d firewall_Host.sh defaults

Implementation of two-factor authentication

To end, we will set up the two-factor authentication. With the GUI, when you are placed on datacenter, click on permissions, users, two factors, add, TOTP. Add a description and scan the Qrcode with Google Authenticator. Then type the key which is displayed on your smartphone to confirm the two-factor authentication.

Our server is set up

In the next post, we will see how to create a container.

Sources:

Screnshots of the installation of the server come from:

https://www.it-connect.fr/comment-installer-proxmox-ve-7-0-et-creer-sa-premiere-vm/

The configuration files were created with the help of elgo.org

*Scripts are no longer displayed in articles. To get them, please contact me.