<
Proxmox STRATO Server
01 Preparation Server and VM 02 Network and SSH 03 Firewall 04 Serial Console 05 Installation Mixed topics
>

Proxmox on a server from STRATO

Network setting and SSH server

This page covers the steps of network settings and secure configuration of the SSH server on the Proxmox. It is based on the installation of Proxmox at home in a VM from the previous step. I show how to secure network ports against access from the Internet on the following page.

Find the current network settings of the STRATO server

After the initial setup, access to the STRATO server is possible via SSH. This currently happens via port 22 and by entering the “root” password that was set up in the server login.
The server at STRATO was set to certain network settings that must be transferred to the Proxmox. We can only find out about this by make some commands in the Linux shell. As already explained, the settings cannot currently be set for the VM at home. However, it is better to copy the settings now so that you can set them in the transfer step to the server. And I can refer to the settings mentioned here in explanations so that it is known where to set them.
To the server an IP address had been assigned by STRATO. A routing was assigned that the server can communicate with the Internet. At the end of the route, access to the Internet is enabled via the “Gateway”. The combination of IP address and subnet (CIDR notation) always has a "/32" as a postfix. This is a special function in the IP protocol, so that the server can only talk to the gateway via the route. Communication with other servers internally in the STRATO data center is not possible.
The server receives all settings in the original configuration via DHCP. The DNS server is required so that the server can resolve names like “strato.de”. There was a preset to one at STRATO. Another public one can also be used here.
Below I show a chain of command that can be used to query all the necessary data. First the set DNS server is shown, then the standard route, which also tells us the gateway. Then follows the output of the interfaces, where we find the IP address of the server at “eno1”. Lastly, the “hosts” file and the host name are output. This should already match the one in the VM.

The command line is:

cat /etc/resolv.conf && ip route && \
ip a && cat /etc/hosts && cat /etc/hostname

Output: (data changed for demo use)

domain stratoserver.net
search stratoserver.net
nameserver 81.169.163.106
nameserver 85.214.7.22
nameserver 81.169.148.34
default via 85.214.254.42 dev eno1 
85.214.254.42 dev eno1 scope link 
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eno2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
    link/ether 00:ab:cd:ef:01:22 brd ff:ff:ff:ff:ff:ff
    altname enp0s25
3: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:ab:cd:ef:01:01 brd ff:ff:ff:ff:ff:ff
    altname enp3s0
    inet 85.214.5.42/32 brd 85.214.5.42 scope global dynamic eno1
       valid_lft 66927sec preferred_lft 66927sec
127.0.0.1   localhost
127.0.1.1   h0000000.stratoserver.net   h0000000

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
h0000000.stratoserver.net

Configuration of the network for the Proxmox

There are different variants to configure the Proxmox network function. As mentioned during installation, a typical variant is initially installed (see variant 1 below). This is ideal for a server on the internal network, but cannot be used for a server on the Internet. Variant 2 may be useful for internal use. However, it is a prerequisite for the server on the Internet to use the virtual guests. Therefore, it is shown below how the Proxmox is reconfigured to the other variant.

Variant 1 - Bridged networking

This variant is the default variant. In the network setting there is a "Linux Bridge" (vmbr0) installed. All settings such as IP address, subnet mask and gateway IP address are placed here. Furthermore, for the bridge mode, the interface that should be bridged is named. In the installation on the STRATO server it is then the "eno1" interface. On the VM at home (see screenshots step 01) it was "enp0s3". This interface is not setup with any IP addresses and is displayed in the web configuration as "Active: No".
The "bridging" makes the variant act like a network switch. On a local network, access can be transparent by using a guest's IP address. It uses an IP address of the same network that the Proxmox host also uses. Advantage: No port forwarding is necessary, you just use the guest's IP address. This works in a private network, but not on the Internet. There is only one IP address for the host, which is also the one on the Internet. Therefore it is not possible to add your own addresses.

Varinat 2 - NAT network

In this “NAT network” variant, the “bridge” is used without a connection to the real interface. An IP address is defined in the settings for the “Linux Bridge”. A subnet mask is also chosen depending on how many guests should use this network (note: it's one setting - CIDR notation). This creates a virtual network that Proxmox can now offer to its guests. The guests are in a private network and cannot be reached from outside. This brings, among other things, a bit of security. However, all guests in one of these networks can communicate with each other. The Proxmox Host can do this too. There is no automatic IP address assignment (DHCP), which in this case I have installed as a container. The IP address specified in the host is, among other things, the gateway address of the guests. These can access the Internet via the Proxmox Host.
In order to allow access from outside, a forwarding must be set in the Proxmox host for each port per guest. The respective services can then be accessed via the host name / public IP (eno1) of the Proxmox + port.
By the way, a "NAT network" can exist next to other networks, e.g. a bridge like in variant 1. The IP settings that were at "vmbr0" in variant 1 are placed depending on the setup. If you have added a new interface in parallel (vmbrN), the IP setting probably remains at vmbr0. But (see below) you can also only use virtual networks in NAT mode and move the IP settings for the STRATO network / the VM network (at home) to the "eno1" / "enp0s3" interface. This is then indicated in the web interface as “Active: Yes”.

Changes required for the configuration to use it in the Internet

When Proxmox is installed on a server on the Internet, the configuration of the network interfaces must be changed. After the setup there is a so called "Linux Bridge" configured like in variant 1. This bridge can be reconfigured for variant 2. It is reconfigured so that the host can be reached under the real interface and the bridge sets up the virtual network for the guests. The settings are now initially made while retaining the IP addresses from the VM from home and later modified again during the installation but then just for the IP addresses. Editing happens in the editor based on the input in the configuration file “/etc/network/interfaces”.
As seen below, move the IP address from "vmbr0" to "enp0s3". You do the same thing with the gateway setting, which is no longer needed on “vmbr0”. For "vmbr0" change the line "bridge-ports" from "enp0s3" to "none". For "vmbr0" the "address" field is set to a freely chosen address. I chose a private one here with a 9 in the third segment because it is a uncommon private network IP, so probably no were else used. This is important to choose because of preventing address overlap. The specification "/24" is the subnet and so it allows me to have 253 virtual IP addresses for guests. Now the possibility is still missing forward ports (generally). That's what's behind the "post-up" and "post-down" lines.
Once this is saved, the VM must restart once to apply the changes to the interfaces. Afterwards, Proxmox should still be accessible via the web interface and SSH as usual.

To get information about the network configuring more here...

root@h0000000:~# cat /etc/network/interfaces
auto lo
iface lo inet loopback

auto enp0s3
iface enp0s3 inet static
    address 192.168.55.4/24
    gateway 192.168.55.1

auto vmbr0
iface vmbr0 inet static
    address 192.168.9.1/24
    bridge-ports none
    bridge-stp off
    bridge-fd 0
    post-up   echo 1 > /proc/sys/net/ipv4/ip_forward
    post-up   iptables -t nat -A POSTROUTING -s '192.168.9.1/24' -o enp0s3 -j MASQUERADE
    post-down iptables -t nat -D POSTROUTING -s '192.168.9.1/24' -o enp0s3 -j MASQUERADE

Changing the SSH configuration

The SSH connection should now also be changed here. So far the server is running in the default setting like in any Linux. Now it's about changing the SSH port and changing the authentication options for the user "root". Changing the SSH port is not absolutely necessary and does not necessarily mean more security. However, attackers often only try the standard port automatically. Furthermore, I have to set a trap in front of the attackers that doesn't necessarily attack them back, but stops the automatic scripts from doing their work. Since the standard SSH port should of course be used in this case, the SSH server for real use must be changed to a different port.
Since access via SSH then becomes more complex, I show how you can make access very easy.

Doing changes for the SSHD

To change the port and the authentication method for the user "root", edit the configuration of the SSH server in Proxmox under "/etc/ssh/sshd_config". Changing the authentication for root is important because it is less secure when authentication is done using a password. Hopefully a strong password has been set. However, passwords are still more insecure than the public key method of SSH. This means that a signature must be created on the server and one must be stored on a computer at home. This signature is much more complex and therefore somewhat more secure. It also allows us to log in to the system without entering a password.
For normal Debian systems, the login of the user "root" with password authentication is not allowed. Normally only the above-mentioned public key login is allowed. The intention is to protect the “root” user especially because you can do anything with them. In protected networks, such as the home network, you can also allow root to log in using a password later. Proxmox is a strange exception here. By default, “root” can log in with a password. Unfortunately, this is not ok for installing a server on the Internet. That's why I explicitly set that only root can only log in with a public key. I also apply this for other users in the Linux system. Logging in with a password is still possible for all users via the screen input or later via the serial console.
The output below shows which lines I changed in the configuration. After saving the file, the settings will not apply until SSH is restarted. I waited until I had finished all the steps shown here. See note below.

diff /etc/ssh/sshd_config /etc/ssh/sshd_config.new
15c15
< #Port 22
---
> Port 2222
34c34
< PermitRootLogin yes
---
> PermitRootLogin prohibit-password
39c39
< #PubkeyAuthentication yes
---
> PubkeyAuthentication yes
58c58
< #PasswordAuthentication yes
---
> PasswordAuthentication no

Install the public key of the client

In order to continue to have access for the "root" user, a public key from a computer that is used to manage the Proxmox must be installed in the "root" user of the Proxmox. If you don't know whether you have a public key on your local user under Linux, enter ls ~/.ssh/ into a terminal and check whether (usually) the file "id_rsa.pub" exists. If this doesn't exist or you get the error that the directory doesn't exist, you don't yet have a public key for the Linux user.
You create a public key by executing ssh-keygen. The tool then asks you for a password. You can leave these unanswered and simply press Enter. Then the public key is created.
Copying the public key to the Proxmox "root" user can now be done using ssh-copy-id root@<IP address-VM host>, i.e. replacing the IP address of the host that hosted the Proxmox. This should be done for the host computer because it still needs to have access during the preparations. It is also advisable to equip another computer with a public key and copy it to the Proxmox with the same command and IP address. This can later be used as a “proxy” computer for administration. Once this is done, you can now log in as “root” with a public key and without a password.

Simple login to SSH with a client config

In the configuration of the Proxmox SSHD I changed the SSH port (s.above). This means that access with clients will always require the changed port to be specified in the future. To get rid of this annoying setting and no longer have to specify a user, you can create a configuration on the client. I would also like to prevent management function to be available on the Internet later. However, port 8006 should still be available to me so that I can manage the Proxmox. SSH allows you to set port forwarding, which is then forwarded through the SSH tunnel. The command option for this is not such affable that you want to enter it with every connection. This setting is also much easier to store in the configuration of the client. The result of the config and public key registration shown above is that you can simply log in to SSH without asking, without entering a user and password and that the Proxmox management port is available locally.
The whole thing is achieved by creating a configuration under "~/.ssh/config" on the managing computer or on the system where the VM is prepared, in which the Linux user is logged in. If an entry was never created, the file is usually missing. Below is an entry that you add to the (empty) file. A name of your choice is created behind “Host”. Furthermore, after entering any SSH command ("ssh", "ssh-copy-id", "scp", "sshfs", ...) this name can be completed using autocompletion. For "HostName" either the host name of the Strato Server is entered or, during preparation, the IP address of the VM hosting computer. The “User” setting is used to name the user on Proxmox you want to use for log in. This eliminates the pre-naming of "root@....." in the command. The "Port" specification takes into account the port change that was made on the Promox's SSHD (see above). The “LocalPort” specification ensures port forwarding. It says that if someone on the computer accesses port 8006, the Proxmox server should forward the connection to "127.0.0.1:8006", i.e. itself.
Once the file with the settings has been saved, you can use the setting immediately.

Host stratoserver
    Hostname h0000000.stratoserver.net
    User root
    Port 2222
    LocalForward 8006 127.0.0.1:8006

Now it's time to take over the configuration on the SSHD in Proxmox by restarting the SSH server. Better do this from the VM's screen, because restarting means the connection is lost. The configured client should then be able to log in with a simple “ssh stratoserver”. If that doesn't work, you can reset the settings on the VM screen and regain the connection by restarting the SSH server.