Powered by

# Proxmox Installation

By
Adrien

# repositories update 

apt update
apt dist-upgrade

deb [http://ftp.debian.org/debian](http://ftp.debian.org/debian) bullseye main contrib
deb [http://ftp.debian.org/debian](http://ftp.debian.org/debian) bullseye-updates main contrib

# security updates

  1. On a terminal, type :
deb [http://security.debian.org/debian-security](http://security.debian.org/debian-security) bullseye-security main contrib
  1. Edit /etc/apt/sources.list.d/pve-enterprise.list
nano  /etc/apt/sources.list.d/pve-enterprise.list

#deb https://enterprise.proxmox.com/debian/pve

apt-get update
apt dist-upgrade
reboot

# SSH Security

  1. Add new user
adduser proxmoxssh
usermod -aG sudo proxmoxssh
su - proxmoxssh
mkdir ~/.ssh
chmod 700 ~/.ssh
nano ~/.ssh/authorized_keys # add your public ssh key here
chmod 600 ~/.ssh/authorized_keys
  1. Edit sshd
nano /etc/ssh/sshd_config 
Port 1111 # chnge your ssh port here
PermitRootLogin no
PasswordAuthentication no

Then restart sshd

/etc/init.d/ssh restart

With these modifications, the number of attack should be reduced in /var/log/auth.log

  1. Install fail2ban
sudo apt install fail2ban
nano /etc/fail2ban/jail.local
[DEFAULT]

bantime = 84600 # 2d
findtime = 600
maxretry = 3

destemail = adrien.palu@hotmail.fr # your email here
sendername = Fail2ban

action = %(action_mwl)s

[sshd]
enabled = true
port = 22 # your ssh port here (> 1000)

And then restart fail2ban

systemctl restart fail2ban

You can check fail2ban authentication here : /var/log/fail2ban.log

  1. Configure Postfix for email
dpkg-reconfigure postfix

Choose the following options :

  • Internet Site.
  • System mail name = proxmox.example.com
  • Postmaster mail recipient = tomtom # your name here
  • Other destinations to accept mail from : proxmox, proxmox.example.com, proxmox.example.com, localhost.example.com, localhost
  • Force synchronous updates on mail queue ? No
  • Local networks = no changes
  • Mailbox size limit = 0
  • Local address extension character = +
  • Internet Protocols = all
systemctl restart postfix
  1. Add Proxmox user
adduser proxmox
sudo passwd proxmox
pveum groupadd admin -comment "System Administrators"
pveum aclmod / -group admin -role Administrator
pveum usermod proxmox@pam -group admin
  1. Update Fail2ban for proxmox user
nano /etc/fail2ban/jail.local

Add this block :

[proxmox]
enabled = true
port = https,http,8006
filter = proxmox
logpath = /var/log/daemon.log
maxretry = 3
# 1 hour
bantime = 3600

And create this file /etc/fail2ban/filter.d/proxmox.conf with :

[Definition]
failregex = pvedaemon\[.*authentication failure; rhost=<HOST> user=.* msg=.*
ignoreregex =

And then restart fail2ban

systemctl restart fail2ban

# Storage

  1. Create ZFS from your node > Disks > ZFS > Create

if "no disk unused", then wipe the disk

fdisk /dev/sda
  1. then P for partition, then D for delete, then W for write.

# check SMART Monitoring 

smartctl -a /dev/sda

# IOMMU (PCI Passthrough)

  1. edit /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet intel_iommu=on"
  1. Update GRUB
update-grub
  1. edit /etc/modules
vfio  
vfio_iommu_type1  
vfio_pci  
vfio_virqfd
  1. Update configuration and reboot
update-initramfs -u -k all
reboot

# Network

# VLAN aware

  1. Go to your node > Network > vmbr0 > check VLAN aware

# NFS Share

  1. Add your NFS Share on your node > Storage > Add > NFS based on TrueNAS Server

# Schedule Backup

  1. Go to Datacenter > Backup > Create
  2. Import ISO / VirtIO / Templates
  3. Create VM /CT

# Create new user

  1. Create a folder for new_user on TrueNas in "USER" and export NFS/SMB point
  2. Create new user on TrueNas with rights permissions
  3. Create new user in FileBrowser with access to "user > new_user"
  4. Create new user in Jellyfin
  5. Create new invitation in Bitwarden
  6. Create new Win11 VM and connect SMB share on "user > new_user"

© Copyright 2022