In this article I document how I installed Proxmox VE on one Hetzners dedicated servers. Proxmox Virtualisation Environment is a complete open source server virtualization management solution. It is based on KVM virtualization & container-based virtualization and manages virtual machines, storage, virtualized networks, and HA Clustering.

I purchased one of Hetzner's servers from their server auction page which included an i7 920 CPU, 24GB DDR3 RAM, Adaptec HW RAID with 2x750GB & 2x3TB hard drives with each pair configured as RAID1.

Debian install

As a first step, I install Debian Squeeze, 64 bit minimal. Before, I ordered my EX4 server at Hetzner, it was few hours and I had the IP address and root password. So, login to Heztner Robot, activate the rescue system, write down the temporary root password, and reboot. Then login again via SSH as root, with the temporary password and start the installimage script. Select Debian 6.0 64 bit minimal in Linux, in the config file change the hostname and configure the partitions to your personal preference. On the 750GB device I'm using 500 MB for the /boot and the rest is divided into 3 volume groups. As logical volumes, I setup 8GB for swap, 100GB for /root, 100GB for /home and the rest for /var. Save the config file, and wait for the partition to finish writing.

At this point make sure to change the temporary root password with passwd to something more private.

Initial Host setup

To get rid of some warnings, reconfigure system locales with dpkg-reconfigure locales. Select the local language, as a second language, next to the English, but set English for the system language. Als timezone should be checked with dpkg-reconfigure tzdata.

Than add the first user with sudo rights and reconfigure the SSH configs to get basic security in place. Be careful with these steps as the potential is there to lock yourself out, and have to go back to the beginning.

Install sudo which will allow non-root users to execute root commands:
apt-get install sudo

Now we are going to setup some new directories for Proxmox storage and backup. Become root via sudo, and:

Proxmox VE 3.x Installation

 b. internal authentication (Citadel will use its own internal user accounts database) 

Create user for Proxmox web interface

pveum useradd yourusername@pam -comment 'Wepoca'

Optionally change password or leave the same as the linux user:
pveum passwd yourusername@pam

Finally, add user to the admin group:
pveum usermod yourusername@pam -group admin

Then log in as yourusername@pam to the Proxmox web interface using the IP of your EX4 host from Hetzner https://<your-IP>:8006/

As a first config over the web, you can set the keyboard locale at Datacenter --> Options --> keyboard, according to your preference.

Set also the storage for Proxmox over Datacenter --> Storage, as defined above, for ISO and for backup files. Do not forget to add the Proxmox user (yourusername in this excersice) in Datacenter --> Users.

In the next tutorial I'll follow-up with how to setup the network and how to install and configure a firewall called Shorewall which is a kind of a front-end to iptables/netfilter.

Introduction

When you first create a new Debian 8 server, there are a few configuration steps that you should take early on as part of the basic setup. This will increase the security and usability of your server and will give you a solid foundation for subsequent actions.

Step One — Root Login

If you are not already connected to your server, go ahead and log in as the root user using the following command (substitute the highlighted word with your server's public IP address):

ssh root@SERVER_IP_ADDRESS

Complete the login process by accepting the warning about host authenticity, if it appears, then providing your root authentication (password or private key). If it is your first time logging into the server, with a password, you will also be prompted to change the root password.

Step Two — Create a New User

Once you are logged in as root, we're prepared to add the new user account that we will use to log in from now on.

This example creates a new user called youruser but you should replace it with a user name that you like:

adduser youruser

You will be asked a few questions, starting with the account password.

Enter a strong password and, optionally, fill in any of the additional information if you would like. This is not required and you can just hit "ENTER" in any field you wish to skip.

Step Three — Root Privileges

Now, we have a new user account with regular account privileges. However, we may sometimes need to do administrative tasks.

To avoid having to log out of our normal user and log back in as the root account, we can set up what is known as "super user" or root privileges for our normal account. This will allow our normal user to run commands with administrative privileges by putting the word sudo before each command.

Install Sudo

Debian 8 doesn't come with sudo installed, so let's install it with apt-get.

First, update the apt package index:

apt-get update

Then use this command to install sudo:

apt-get install sudo

Now you are able to use the sudo and visudo commands.

Grant Sudo Privileges

To add these privileges to our new user, we need to add the new user to the "sudo" group. By default, on Debian 8, users who belong to the "sudo" group are allowed to use the sudo command.

As root, run this command to add your new user to the sudo group (substitute the highlighted word with your new user):

adduser yourusersudo

Now your user can run commands with super user privileges!

Step Four — Add Public Key Authentication (Recommended)

The next step in securing your server is to set up public key authentication for your new user. Setting this up will increase the security of your server by requiring a private SSH key to log in.

Generate a Key Pair

If you do not already have an SSH key pair, which consists of a public and private key, you need to generate one. If you already have a key that you want to use, skip to the Copy the Public Key step.

To generate a new key pair, enter the following command at the terminal of your local machine (ie. your computer):

ssh-keygen

Assuming your local user is called "youruser", you will see output that looks like the following:

Generating public/private rsa key pair.
Enter file in which to save the key (/Users/youruser/.ssh/id_rsa):

Hit return to accept this file name and path (or enter a new name).

Next, you will be prompted for a passphrase to secure the key with. You may either enter a passphrase or leave the passphrase blank.

Note: If you leave the passphrase blank, you will be able to use the private key for authentication without entering a passphrase. If you enter a passphrase, you will need both the private key and the passphrase to log in. Securing your keys with passphrases is more secure, but both methods have their uses and are more secure than basic password authentication.

This generates a private key, id_rsa, and a public key, id_rsa.pub, in the .ssh directory of the localuser's home directory. Remember that the private key should not be shared with anyone who should not have access to your servers!

Copy the Public Key

If your local machine has the ssh-copy-id script installed, you can use it to install your public key to any user that you have login credentials for.

Run the ssh-copy-id script by specifying the user and IP address of the server that you want to install the key on, like this:

ssh-copy-id youruser@SERVER_IP_ADDRESS

After providing your password at the prompt, your public key will be added to the remote user's .ssh/authorized_keys file. The corresponding private key can now be used to log into the server.

Now you may SSH login as your new user, using the private key as authentication.

To read more about how key authentication works, read this tutorial: How To Configure SSH Key-Based Authentication on a Linux Server.

Step Five — Configure SSH

Now that we have our new account, we can secure our server a little bit by modifying its SSH daemon configuration (the program that allows us to log in remotely) to disallow remote SSH access to the root account.

Begin by opening the configuration file with your text editor as root:

nano /etc/ssh/sshd_config

Here, we have the option to disable root login through SSH. This is generally a more secure setting since we can now access our server through our normal user account and escalate privileges when necessary.

To disable remote root logins, we need to find the line that looks like this:

#PermitRootLogin yes

You can modify this line to "no" like this if you want to disable root login:

PermitRootLogin no

Disabling remote root login is highly recommended on every server!

When you are finished making your changes, save and close the file using the method we went over earlier (CTRL-X, then Y, then ENTER).

Reload SSH

Now that we have made our changes, we need to restart the SSH service so that it will use our new configuration.

Type this to restart SSH:

systemctl restart ssh

Now, before we log out of the server, we should test our new configuration. We do not want to disconnect until we can confirm that new connections can be established successfully.

Open a new terminal window. In the new window, we need to begin a new connection to our server. This time, instead of using the root account, we want to use the new account that we created.

ssh youruser@SERVER_IP_ADDRESS

You will be prompted for the new user's password that you configured. After that, you will be logged in as your new user.

Remember, if you need to run a command with root privileges, type "sudo" before it like this:

sudo command_to_run

If all is well, you can exit your sessions by typing:

exit

In the second part of the series I'm going to setup routed networking on a root server from Hetzner, for OpenVZ based virtualization and with various UNIX guests. These guests will be web-servers and database-servers, connected by a private LAN with an internal bridge NAT'd to eth0 of the host. Shorewall & Fail2ban will help to get the proper networking and security in place.

In this article you can learn how to setup the host, with Proxmox 2.x VE on Hetzner EX4, with Debian Squeeze 64 bit.

Kernel settings

The target setup requires some deviation from the default kernel settings of Debian: IP forwarding and Proxy ARP should be set. Edit /etc/sysctl.conf as follows:

### Hetzner Online AG installimage
# sysctl config
net.ipv4.ip_forward=1
net.ipv4.conf.all.rp_filter=1
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv4.conf.all.proxy_arp=1
net.ipv4.conf.default.proxy_arp=1

Network settings

Change the following four files accordingly.

/etc/hosts

Add here the public IP of your server and the hostname.

127.0.0.1 localhost
PUBLIC_SERVER_IP myhost.hu myhost

/etc/hostname

Once again just the plain hostname goes into here.

myhost

/etc/resolv.conf

Here you should list the nameservers of Hetzner, optionally of others, as well.

### Hetzner Online AG installimage
# nameserver config
nameserver 213.133.99.99
nameserver 213.133.100.100
nameserver 213.133.98.98

/etc/network/interfaces

First of all, get these three IP addresses from the original /etc/network/interface file, and write it down: PUBLIC_SERVER_IP, SERVER_GATEWAY and BROADCAST_ADDRESS. Then, ADDITIONAL_SERVER_IP is the second public IP address, what I ordered additionally.

I setup three network bridges on the host:

• vmbr0 will handle the second public IP (ADDITIONAL_SERVER_IP), and the guest on this bridge will appear on on the Internet with this public IP. I'll use it for the guest running the Pound load balancer.
• vmbr1 will be a private LAN for all the guest, but through vmbr1 the guests will be able to go out to the Internet, it will be NAT-et through the host interface.
• vmbr2 is also a private LANs to connect the guests with each other, but completely isolated from Internet.

For the final working setup Shorewall must be also up and running. Without Shorewall, you can still test this setup, if you comment out the line below the comment lines "# use only if Shorewall is down:", in both vmbr0 and vmbr1 brigde configs.

### Hetzner Online AG - installimage
# Loopback device:
auto lo
iface lo inet loopback
#
# external interface of the host
auto eth0
iface eth0 inet static
address PUBLIC_SERVER_IP
netmask 255.255.255.255
gateway SERVER_GATEWAY
broadcast BROADCAST_ADDRESS
pointopoint SERVER_GATEWAY
#
# bridge for VMs with public IPs (DMZ)
auto vmbr0
iface vmbr0 inet static
address PUBLIC_SERVER_IP
netmask 255.255.255.255
broadcast BROADCAST_ADDRESS
bridge_ports none
bridge_stp off
bridge_fd 0
# use only if Shorewall is down:
# up ip route add ADDITIONAL_SERVER_IP/32 dev vmbr0
#
# bridge for internal LAN with private IPs
auto vmbr1
iface vmbr1 inet static
address 192.168.0.1
netmask 255.255.255.0
bridge_ports none
bridge_stp off
bridge_fd 0
# use only if Shorewall is down
# post-up iptables -t nat -A POSTROUTING -s '192.168.0.0/24' -o eth0 -j MASQUERADE
# post-down iptables -t nat -D POSTROUTING -s '192.168.0.0/24' -o eth0 -j MASQUERADE
#
# bridge for second internal LAN with private IPs
auto vmbr2
iface vmbr2 inet static
address 10.10.10.1
netmask 255.255.255.0
bridge_ports none
bridge_stp off
bridge_fd 0

The Shoreline Firewall, more commonly known as “Shorewall”, is high-level tool for configuring Netfilter. You describe your firewall/gateway requirements using entries in a set of configuration files. Shorewall reads those configuration files and with the help of the iptables, iptables-restore, ip and tc utilities, Shorewall configures Netfilter and the Linux networking subsystem to match your requirements. Shorewall can be used on a dedicated firewall system, a multi-function gateway/router/server or on a standalone GNU/Linux system. Shorewall does not use Netfilter's ipchains compatibility mode and can thus take advantage of Netfilter's connection state tracking capabilities.

Shorewall firewall settings

Shorewall install and initial config

First of all, install Shorewall:
apt-get install shorewall

You probably noticed a warning message at the end of the Shorewall installation, telling you the program will not start unless you change the /etc/default/shorewall file. You can do this by changing

startup = 0

to

startup = 1

Next, edit /etc/shorewall/shorewall.conf and change the following values:

IP_FORWARDING=Keep
DISABLE_IPV6=No

to:

IP_FORWARDING=On
DISABLE_IPV6=Yes

And two simple tricks for quality. First, always check the Shorewall config files for correct syntax:
shorewall check
To switch temporary to the new config, but return to the old ones after 60 seconds:
shorewall try /etc/shorewall 60

Network config in Shorewall

The following config files implement then the required firewall functionality, as well as the target network setup. For more details please refer to Shorewall docs.

/etc/shorewall/zones

# http://linux.die.net/man/5/shorewall-zones
#ZONE   TYPE   OPTIONS   IN       OUT
#                        OPTIONS  OPTIONS
fw      firewall
net     ipv4
loc     ipv4
dmz     ipv4

/etc/shorewall/interfaces

# http://linux.die.net/man/5/shorewall-interfaces
#ZONE INTERFACE BROADCAST OPTIONS
net   eth0      detect logmartians,tcpflags,nosmurfs
dmz   vmbr0     detect logmartians,bridge,routefilter,tcpflags,nosmurfs
dmz   vmbr1     detect logmartians,bridge,routefilter
loc   vmbr2     detect logmartians,bridge,routefilter

/etc/shorewall/policy

# http://linux.die.net/man/5/shorewall-policy
#SOURCE DEST    POLICY          LOG     LIMIT:          CONNLIMIT:
#                               LEVEL   BURST           MASK

# From Firewall Policy
fw      fw      ACCEPT
fw      net     ACCEPT
fw      dmz     ACCEPT
fw      loc     ACCEPT

# From DMZ Policy
dmz     dmz     ACCEPT
dmz     net     ACCEPT
dmz     fw      DROP            info
dmz     loc     DROP            info

# From Net Policy
net     fw      DROP            info
net     dmz     DROP            info
net     loc     DROP            info

# From Local Policy
loc     dmz     ACCEPT
loc     net     ACCEPT
loc     fw      ACCEPT

# THE FOLLOWING POLICY MUST BE LAST
#
all     all     REJECT          info

/etc/shorewall/rules

# http://linux.die.net/man/5/shorewall-rules
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
#
# Accept particular connections from Internet
#
# Permit access to SSH
SSH/ACCEPT net fw   -     -    -      -        6/min:5
#
# Permit access to Proxmox Manager and Console
ACCEPT     net fw  tcp    443,5900:5999,8006
#
# PING Rules
Ping/ACCEPT all all
#
# Permit traffic to - certain - VMs in DMZ
HTTP/ACCEPT net  dmz:$ADDITIONAL_SERVER_IP
SSH/ACCEPT  net  dmz:$ADDITIONAL_SERVER_IP
#
# LAST LINE -- DO NOT REMOVE

/etc/shorewall/masq

# implements NAT on vmbr1
#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK
eth0 192.168.0.0/24

/etc/shorewall/proxyarp

# vmbr0 apperars on the Internet
#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT
$ADDITIONAL_SERVER_IP vmbr0 eth0

/etc/shorewall/params

ADDITIONAL_SERVER_IP=12.34.56.56

Now we can start to build guests on the Proxmox web interface and all the guests will be behind the host's firewall.