Proxmox Virtual Environnment
My Proxmox Virtual Environnment Installation and Secure Configuration Guide
Introduction
No need to back up your Proxmox host. Always do a fresh install and fresh configuration using this documentation, as it provides a cleaner option for setup. It’s crucial to document everything for future reference, ensuring consistency and security with each installation.
1. Install Proxmox VE
To begin, you’ll need to install Proxmox VE on your host. Proxmox is a powerful, open-source virtualization platform that allows you to manage virtual machines and containers.
Installation Steps:
- Download the ISO:
- Visit the Proxmox VE download page to download the latest ISO for Proxmox VE.
- Create a Bootable USB:
- I encountered issues when trying to use Ventoy to install Proxmox. The installer couldn’t find the ISO correctly. So, I used Rufus to create the bootable USB.
- Download and install Rufus, and create a bootable USB stick using the Proxmox ISO.
- Install Proxmox:
- Boot the server from the USB stick.
- Follow the installation wizard, and when asked, select ZFS as the file system for your installation.
- Rewcommended FQDN hostname.yourdomainname.com
- Make sure to configure the IP address and DNS settings correctly during installation to match your network setup.
- Complete the Installation:
- Once the installation is complete, the system will prompt you to remove the installation media.
- Reboot the server and log into the Proxmox web interface.
2. Accessing Proxmox Web Interface
After installation, you can manage Proxmox via a web interface:
- Open a browser and go to:
1
https://<Proxmox-IP>:8006
- Log in using the
root
username and the password you set during installation.
3. Disable Enterprise Repositories and Enable pve-no-subscription Repo
Proxmox offers enterprise repositories by default, but for non-subscribed users, you should switch to the pve-no-subscription repository to ensure access to the necessary updates without subscription fees.
Steps to Disable the Enterprise Repositories:
Disable the enterprise repositories from the GUI.
- Alternatively, edit the repository configuration file:
1
nano /etc/apt/sources.list.d/pve-enterprise.list
- Comment out the existing line by adding a
#
at the beginning of the line:1
# deb https://enterprise.proxmox.com/debian/pve stretch pve-enterprise
- Save and close the file.
Enable the pve-no-subscription Repository:
Enable the no subscription repository from the GUI.
Update the package list:
1
apt update
4. Install sudo
and Add a Non-Root User
Before creating a non-root user, install the sudo
package, as it may not be installed by default.
Install sudo
:
- Install
sudo
using the following command:1 2
apt update apt install sudo
- After installing
sudo
, proceed to create a new user.
Create a New Non-Root User:
- Create a new user by replacing
username
with your preferred username:1
adduser username
- Add the user to the
sudo
group to grant administrative privileges:1
usermod -aG sudo username
- Verify that the user is part of the
sudo
group:1
groups username
5. Disable Root Access via SSH
For security, it is recommended to disable root
access via SSH.
Steps to Disable Root SSH Login:
- Edit the SSH configuration file:
1
nano /etc/ssh/sshd_config
- Find the line containing
PermitRootLogin
and change it tono
:1
PermitRootLogin no
- Restart the SSH service to apply the change:
1
systemctl restart sshd
6. Disable Root Access via the Proxmox GUI
To enhance security, it’s also recommended to disable the root
user from accessing the Proxmox web interface.
But, before you do that create a PAM user from the GUI, go to Permissions and give that user Admin access, go back to Users and check the permissions, and then proceed with the following:
Login to Proxmox Web Interface using the
root
account.In the Proxmox Web UI, go to Datacenter > Permissions > User.
Locate the
root
user and click Edit.Uncheck the Enable box to disable the root account.
Click Save to apply the changes.
7. Enable Two-Factor Authentication (2FA) for SSH
To further secure your Proxmox host, you can enable Two-Factor Authentication (2FA) for SSH logins.
But, before you do that enable 2FA for your PAM user from the GUI. So that you don’t forget. Then proceed with the following:
Install Google Authenticator PAM Module:
- Install the Google Authenticator PAM module:
1
apt install libpam-google-authenticator
- Configure SSH to use the Google Authenticator PAM module: (using su - user)
- Edit the SSH configuration file:
1
nano /etc/ssh/sshd_config
- Ensure the following lines are present:
1 2 3
KbdInteractiveAuthentication yes ChallengeResponseAuthentication yes UsePAM yes
- Edit the SSH configuration file:
- Edit the PAM configuration to include Google Authenticator: (using su - user)
- Edit the PAM SSH configuration file:
1
nano /etc/pam.d/sshd
- Add the following line at the bottom:
1 2
# SSH to Use Google Authenticator auth required pam_google_authenticator.so
- Edit the PAM SSH configuration file:
- Restart SSH to apply the changes:
1
systemctl restart sshd
8. Configure Google Authenticator
Now that you’ve enabled 2FA, configure Google Authenticator for your user.
- Log in as your user (
username
):1
su - username
- Run the following command to set up Google Authenticator:
1
google-authenticator
- Follow the prompts to:
- Scan the QR code with the Google Authenticator app on your phone.
- Save the emergency scratch codes in case you lose access to the app.
9. Test SSH Access with 2FA
To ensure 2FA is working correctly, test logging in via SSH from another terminal or machine:
1
ssh username@<Proxmox-IP>
- After entering your password, you’ll be prompted to enter a verification code generated by the Google Authenticator app.
For the official PVE Documentation got to the PVE GUI and click on Documentation in the top right corner.