Skip to end of metadata
Go to start of metadata

In this tutorial, I would guide you step by step how to secure your PROXMOX VE server with duo push security. Thanks to that to access your PROXMOX VE server it would be necessary as well to confirm push authentication from Duosecurity (DUO) on your mobile phone. With a small modification to the whole process, it should be possible as well to use Twilio as a source of duo security on login level.

Duo account setup and configuration

Be aware of initial requirements.

  1. You need a minimum DuoFree account from https://duo.com - with activated mobile phone access.



  2. After registration and activation of your mobile phone - login to DUO and create a new user. It would be, as you guess root user...


  3. Assign your phone number to this user - this is the account to push notification and phone to be used. If you lose your phone you can always change the Status value to Bypass.


    If you own Yubikey - you can as well assign this one to your new account.

  4. Now we have to define a new application in DUO which we are going to authenticate.

    Of course, we are protecting *NIX system - so it would Unix Application


    Choose your own name - customise what you want. Normally I would suggest naming your application as PROXMOX.


  5. The most important part is stored in Details - here you have Integration key, secret key and API hostname. This is what we would add to our PROXMOX machine configuration.

    Details DUO
  6. Now you are ready to go with further configuration - we would do that on PROXMOX VE box. I assume your PROXMOX VE is running and ready and you can access this through SSH. So please connect to your box with SSH. It would make configuration easier.
    I would as well suggest installing nano on PROXMOX for text editing - apt install nano


PROXMOX VE box configuration


  1. First of all, connect to your PROXMOX VE through SSH or eventually console. I would suggest using SSH with PuTTY for easy copy and paste operations.
  2. We need to prepare our system to accept software from Duosecurity. Just execute a few commands below in your shell:

    # apt install curl nano
    # curl -s https://duo.com/APT-GPG-KEY-DUO | apt-key add -
  3. Create a repository to install DUO packages.

    # nano /etc/apt/sources.list.d/duosecurity.list

    In list file please add a new repository:

    deb http://pkg.duosecurity.com/Debian jessie main

    Save with CTRL+X and Y as confirmation

  4. Update your package database and install new package which we need. You can as well compile those manually from source... but why? Just use those prepared for Jessie system (for Virtual Environment 4.4) or newer for 5.0 version of VE. Just modify correctly your list file.

    # apt-get update && apt-get install duo-unix
  5. Now we have PAM modules installed - in the next step, we would activate the way how login to the system is performed.
  6. Go and edit /etc/pam.d/common-auth file with nano


    # nano /etc/pam.d/common-auth

    and then add at the end a new line. It should be at the end of the file - first, we would verify user account - then DUO

    #
    # /etc/pam.d/common-auth - authentication settings common to all services
    #
    # This file is included from other service-specific PAM config files,
    # and should contain a list of the authentication modules that define
    # the central authentication scheme for use on the system
    # (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
    # traditional Unix authentication mechanisms.
    #
    # As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
    # To take advantage of this, it is recommended that you configure any
    # local modules either before or after the default block, and use
    # pam-auth-update to manage selection of other modules.  See
    # pam-auth-update(8) for details.
    
    # here are the per-package modules (the "Primary" block)
    auth  [success=1 default=ignore]        pam_unix.so nullok_secure
    
    # here's the fallback if no module succeeds
    auth    requisite                       pam_deny.so
    # prime the stack with a positive return value if there isn't one already;
    # this avoids us returning an error just because nothing sets a success code
    # since the modules above will each just jump around
    auth    required                        pam_permit.so
    # and here are more per-package modules (the "Additional" block)
    # end of pam-auth-update config
    auth  required  /lib64/security/pam_duo.so
    
  7. Generally, that change should already protect our system, as this is the common rule, with duo... but now we need to define how we want to use duo. Be sure you are still in SSH.... do not close session.
    If you want to protect the only SSH - then edit and add in /etc/pam.d/sshd the same line after include common-auth requirements. That should have influence only for SSH. But I would suggest keeping that as common - to protect all elements.
  8. Now we need to create DUO configuration - this is the place where we would store our secret parts from DUO. After installation, you should have /etc/duo folder created. In this folder, we should have pam_duo.conf file. We can as well create one directly 

    # nano /etc/duo/pam_duo.conf

    We need to setup this part in such a way - that all requests our system would push automatically to us. To our phone. So be sure your phone is ready and enrolled. Of course, if something would go wrong - we can always bypass those requirements in DUO admin website. This file should look like this one below - remember to replace ikey, skey and host with your own one as shown here.

    [duo]
    ; Duo integration key
    ikey = XXXX
    ; Duo secret key
    skey = YYYYYYYY
    ; Duo API host
    host = api-ZZZZZZ.duosecurity.com
    ; Send command for Duo Push authentication
    pushinfo = yes
    autopush = yes

    For some extra login control, you can create a second file /etc/duo/login_duo.conf - just add an extra line at the end - prompts = 1 - to limit the number of requests for confirmation.

  9. You are generally done. Test your config - do not close ssh, start a new session in PuTTY and connect as the root user. Provide your password and wait a moment - if all was set as expected - you should receive push request with confirmation. Confirm - you are in. If it is not working - it could be necessary to reload sshd service.
  10. Now go to your PROXMOX web interface - log out if you are in... and try to re-login as root user - you should receive as well confirmation push message. If yes - all is ready and set up. 


Extra security...

We would suggest as well to add fail2ban to your PROXMOX configuration.

# apt install fail2ban

Then edit configuration and add a few lines to protect as well web interface.

# nano /etc/fail2ban/jail.conf

And at the end of the config file add a few extra lines:

[proxmox]
enabled = true
port = https,http,8006
filter = proxmox
logpath = /var/log/daemon.log
maxretry = 3
# 1 hour
bantime = 3600

That would as default protect Proxmox interface and as wellsshd...