First steps in Proxmox

Requirements:
  • You have an account at console.online.net
  • You have a Dedibox dedicated server
  • You have launched the installation of Proxmox VE from the management console

Proxmox is a virtualization distribution like ESXi, based on Debian. Manageable from a web interface, it allows you to quickly implement virtualized systems based on OpenVZ or KVM.

In this tutorial we will take the first steps in Proxmox and its securization. When using ESXi the security setup on the host is minimal, however as Proxmox is based on Debian there will be some best practices to consider when installing it.

Although Proxmox can be used completely free of charge, we recommend to purchase a license. Especially in professional environments, to have access to security updates and the latest stable release: https://www.proxmox.com/en/proxmox-ve/pricing

Changing the hostname

To change the hostname; we have to start by modifying two files:

/etc/hostname : Here you have to enter the subdomain of it, for example for proxmox.online.net, you have to enter proxmox

/etc/hosts : By default you will have something like the following:

195.154.xx.xx 	sd-32196.dedibox.fr sd-32196

Modify it so it correspondents to your domains:

195.154.xx.xx 	proxmox.online.net proxmox

To take the changes into effect without rebooting your server, run the following command:

sudo hostname proxmox.online.net

Now you can restart the service pve-cluster to recreate the folders:

service pve-cluster restart

Go now to the concerned folder and move the configuration files of your VMs:

cd /etc/pve/nodes && mv sd-xxxxx/* proxmox/
Obviously you have to adapt it depending of the number of your server and its new hostname.

Once this is done, we invite you to reboot your server to take the changes into effect.

Useful tricks

If you do not want to buy a Proxmox license, you might want to remove the message at each connection, prompting you to take a license.

To do it, you have to edit the file /usr/share/pve-manager/ext4/pvemanagerlib.js and search for the following line:

if (data.status !== 'Active') {

Replace it with:

if (false) {

Thereafter the message will not be shown anymore.

Don't forget to empty your browsers cache to force the JS to be reloaded.

===

You can also remove the repository linked to the “stable” updates of Proxmox, because you will see an error each time you do an apt-get update without subscribing to their service:

rm /etc/apt/sources.list.d/pve-enterprise.list

Do not worry, there is normally always the following line in your /etc/apt/source.list :

deb http://download.proxmox.com/debian wheezy pve-no-subscription

This allows you to get the updates.

However there will be no support in case of problems without a valid subscription.

Configuration of Fail2Ban

This configuration follows our tutorial about Fail2Ban.

Add the following lines to your Fail2Ban configuration file:

[proxmox]
enabled = true
port    = https,http,8006
filter  = proxmox
logpath = /var/log/daemon.log

Then create the filter rules in the file /etc/fail2ban/filter.d/proxmox.conf:

# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision: 569 $
#

[Definition]

# Option:  failregex
# Notes.:  regex to match the password failure messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT
#

failregex = pvedaemon\[.*authentication failure; rhost=<HOST> user=.* msg=.*

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

This will automatically detect the connection attemps to your Proxmox panel and bans, as for SSH, the IPs in question.

To activate the configuration, you have to restart the Fail2Ban service:

sudo service fail2ban restart

Go further

This is just a basic preparation of the security of your host. You can for example:

  • Configure a firewall for DROPPING all unwanted traffic
  • Authenticate yourself in SSH only using keys (without passwords)
  • Limit the access to certain IPs only
  • etc…