In this tutorial, I would guide you step by step how to secure your PROXMOX VE server with duo push security. Thanks to that to access your PROXMOX VE server it would be necessary as well to confirm push authentication from Duosecurity (DUO) on your mobile phone. With a small modification to the whole process, it should be possible as well to use Twilio as a source of duo security on login level.
Duo account setup and configuration
Be aware of initial requirements.
- You need a minimum DuoFree account from https://duo.com - with activated mobile phone access.
- After registration and activation of your mobile phone - login to DUO and create a new user. It would be, as you guess root user...
- Assign your phone number to this user - this is the account to push notification and phone to be used. If you lose your phone you can always change the Status value to Bypass.
If you own Yubikey - you can as well assign this one to your new account.
- Now we have to define a new application in DUO which we are going to authenticate.
Of course, we are protecting *NIX system - so it would Unix Application
Choose your own name - customise what you want. Normally I would suggest naming your application as PROXMOX.
- The most important part is stored in Details - here you have Integration key, secret key and API hostname. This is what we would add to our PROXMOX machine configuration.
- Now you are ready to go with further configuration - we would do that on PROXMOX VE box. I assume your PROXMOX VE is running and ready and you can access this through SSH. So please connect to your box with SSH. It would make configuration easier.
I would as well suggest installing nano on PROXMOX for text editing - apt install nano
PROXMOX VE box configuration
- First of all, connect to your PROXMOX VE through SSH or eventually console. I would suggest using SSH with PuTTY for easy copy and paste operations.
We need to prepare our system to accept software from Duosecurity. Just execute a few commands below in your shell:
Create a repository to install DUO packages.
In list file please add a new repository:
Save with CTRL+X and Y as confirmation
Update your package database and install new package which we need. You can as well compile those manually from source... but why? Just use those prepared for Jessie system (for Virtual Environment 4.4) or newer for 5.0 version of VE. Just modify correctly your list file.
- Now we have PAM modules installed - in the next step, we would activate the way how login to the system is performed.
Go and edit /etc/pam.d/common-auth file with nano
and then add at the end a new line. It should be at the end of the file - first, we would verify user account - then DUO
- Generally, that change should already protect our system, as this is the common rule, with duo... but now we need to define how we want to use duo. Be sure you are still in SSH.... do not close session.
If you want to protect the only SSH - then edit and add in /etc/pam.d/sshd the same line after include common-auth requirements. That should have influence only for SSH. But I would suggest keeping that as common - to protect all elements.
Now we need to create DUO configuration - this is the place where we would store our secret parts from DUO. After installation, you should have /etc/duo folder created. In this folder, we should have pam_duo.conf file. We can as well create one directly
We need to setup this part in such a way - that all requests our system would push automatically to us. To our phone. So be sure your phone is ready and enrolled. Of course, if something would go wrong - we can always bypass those requirements in DUO admin website. This file should look like this one below - remember to replace ikey, skey and host with your own one as shown here.
For some extra login control, you can create a second file /etc/duo/login_duo.conf - just add an extra line at the end - prompts = 1 - to limit the number of requests for confirmation.
- You are generally done. Test your config - do not close ssh, start a new session in PuTTY and connect as the root user. Provide your password and wait a moment - if all was set as expected - you should receive push request with confirmation. Confirm - you are in. If it is not working - it could be necessary to reload sshd service.
- Now go to your PROXMOX web interface - log out if you are in... and try to re-login as root user - you should receive as well confirmation push message. If yes - all is ready and set up.
We would suggest as well to add fail2ban to your PROXMOX configuration.
Then edit configuration and add a few lines to protect as well web interface.
And at the end of the config file add a few extra lines:
That would as default protect Proxmox interface and as wellsshd...