Tinfoil-hat.net
A secure home for every tinfoil-hat
:: Tinfoil-hat.net - A secure home for every tinfoil-hat
Start
Computer Science
Public Hosting
Anonymity
Hacktivism
Conspiracy Theories
Posts Overview

In This Post I’m showing you How to create a Proxmox host which is reachable trough internet. It presupposes you have Proxmox already installed on your server:

1. Access and Update the Server

  1. Create and copy your SSH Key
  2. Connect with SSH Key
  3. Upgrade Server
apt-get update && apt-get dist-upgrade -y

2. Harden SSH:

  1. Unstall UFW
  2. Allow Port 22 (SSH Port) with Protocol TCP
  3. Reload and activate UFW
  4. Add User
  5. install sudo
  6. Add new user to sudo Group
apt-get install ufw
ufw allow 22/tcp
ufw enable
adduser yourusername
apt-get install sudo
sudo adduser mynewuser sudo
nano /etc/ssh/sshd_config
  • Now edit / instert the following
PermitRootLogin no
MaxAuthTries 6
AllowUsers yourusername
PasswordAuthentication no
PermitEmptyPasswords no
PubkeyAuthentication yes
  • Now reload SSH via:
systemctl restart sshd

3. Geoblocking unwanted Visitors:

Attention: Run in screen, this takes a large amount of time!

  1. Install screen and git
  2. Copy blacklist sources
  3. Change directory to copied Sources
  4. Create Screen session (if SSH session is interrupted the command doesn’t cancel)
  5. This is a while loop in Bash and will deny the connections from the IP adresses in this file. This step may take 1 to 2 hours to complete.
    • After you executed the command, you can send Screen to the Background with: CTRL+a+d
apt-get install screen git
git clone https://git.tinfoil-hat.net/tinfoil-hat/ip-backlist-china-and-russia
cd ip-backlist-china-and-russia/
screen -S blocklist
while read line; do sudo ufw deny from $line; done < blocklist.txt && bash block_china_ufw.sh

4. (Optional) Make SSH Port accessable only via VPN Connection or your Static IP:

  1. Use / download Openvpn script: angristan/openvpn-install
  2. Change directory to Openvpn script
  3. Make script executable
  4. run Openvpn script
  5. Allow SSH traffic from your OpenVPN connection
  6. Allow SSH traffic from your Static IP Address (if you have one at home)
  7. Change loglevel of your UFW so that the logfiles don’t get gigantic.
  8. Edit /etc/default/ufw
git clone https://github.com/angristan/openvpn-install
cd openvpn-install/
chmod +x openvpn-install.sh
./openvpn-install.sh
ufw allow from  10.8.0.0/24  to any port 22
ufw allow from  *staticip*  to any port 22
ufw logging low
nano /etc/default/ufw
  • Allow troughput trough your VPN Connection and avoid getting no internet connection when you are connected with your VPN
DEFAULT_FORWARD_POLICY="ACCEPT"
  1. edit /etc/network/interfaces
nano /etc/network/interfaces
  • Add the following Text under your main Interface:
    post-up echo 1 > /proc/sys/net/ipv4/ip_forward
  • This line will also allow you to access the Internet when connected trough your VPN

5. Convert yor Debian 10 Server to Proxmox 6

  1. Add an /etc/hosts entry for your IP address
    • Note: Make sure that no IPv6 address for your hostname is specified in /etc/hosts.
    • For instance, if your IP address is 192.168.15.77, and your hostname prox4m1, then your /etc/hosts file should look like:
127.0.0.1       localhost.localdomain localhost
192.168.15.77   prox4m1.proxmox.com prox4m1

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
  • You can test if your setup is ok using the hostname command:
hostname --ip-address
192.168.15.77 # should return your IP address here
  1. Adapt your sources.list
  • Add the Proxmox VE repository:
echo "deb http://download.proxmox.com/debian/pve buster pve-no-subscription" > /etc/apt/sources.list.d/pve-install-repo.list
  1. Add the Proxmox VE repository key:
wget http://download.proxmox.com/debian/proxmox-ve-release-6.x.gpg -O /etc/apt/trusted.gpg.d/proxmox-ve-release-6.x.gpg
chmod +r /etc/apt/trusted.gpg.d/proxmox-ve-release-6.x.gpg  # optional, if you have a non-default umask
  1. Update your repository and system by running:
apt update && apt full-upgrade
  1. Install the Proxmox VE packages
apt install proxmox-ve postfix open-iscsi
  1. Recommended: remove the os-prober package
    • The os-prober package scans all the partitions of your host, including those assigned to guests VMs, to create dual-boot GRUB entries. If you didn’t install Proxmox VE as dual boot beside another Operating System, you can safely remove the os-prober package.
apt remove os-prober
  1. Update and check grub2 config by running:
update-grub

Now Reboot:

reboot

6. Enter Proxmox Management UI

  1. Allow the Proxmox management Port (8006) to be open
  2. Reload UFW
  3. After that your Management Web Interface should be reachable in your Browser under https://your-ip-address:8006/
ufw allow 8006/tcp
ufw reload

6. Configure Proxmox

  1. Edit the file /etc/network/interfaces
  • Paste the following (if your Main Interface is eth0)
  • Notice that I moved the Part post-up echo 1 > /proc/sys/net/ipv4/ip_forward now from the Hardware Interface to the newly created Linux Bridge (vmbr1)
auto vmbr1
iface vmbr1 inet static
        address  10.10.10.254
        netmask  255.255.255.0
        bridge-ports none
        bridge-stp off
        bridge-fd 0

        dns-nameservers 208.67.222.222 208.67.220.220

        post-up echo 1 > /proc/sys/net/ipv4/ip_forward

        post-up iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -o eth0 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '10.10.10.0/24' -o eth0 -j MASQUERADE

Now Reboot:

reboot
  • Your Network Configuration in your Web Interface Should now look something like this:

Screenshot-from-2019-10-23-04-06-56.png

To be continued …


GPG-Fingerprint: F1AB 723C 635B 792F E18A EED8 6259 5B76 EE31 15F2 ·

Git Repo ·
IRC #uugrn tinfoil-hat ·
chrissly90@jabber.nchristian.net ·
Mail: mail@tinfoil-hat.net ·
Legal