Cluster with non-standard SSH Port and Root login disabled.

[Llewellyn Pienaar]

Can anyone assist me in the following:

I use a non-standard port for ssh and root login disabled. My servers are in a DC and security needs to be strict. Is there a way I can either change the default port the cluster connects on or impliment security rules to only allow ssh on port 22 from a specific ip and from everywhere else the non-standard port (2222)?

I changed default ssh port so when I want to migrate a VM/CT its gives me error because port 22 is disabled. How can I change the port the cluster communicates on via ssh? also, root user is disabled for ssh

note fake IP used. But IP is the external IP not the Seperated Cluster network IP (10.0.10.0/24). Is this correct?

Can I configure the cluster to only communicate on the seperated cluster network with multi cast enabled and IGMP on the switch

2019-06-18 13:51:29 # /usr/bin/ssh -e none -o 'BatchMode=yes' -o 'HostKeyAlias=server2' root@123.3.23.169 /bin/true
2019-06-18 13:51:29 ssh: connect to host 123.3.23.169 port 22: Connection refused
2019-06-18 13:51:29 ERROR: migration aborted (duration 00:00:00): Can't connect to destination address using public key
TASK ERROR: migration aborted

 

[bfal]

You can set the SSH Default Port in the config file under /etc/ssh/ssh_config . This works for my Cluster without Problems.

 

[Llewellyn Pienaar]

I want to refrain from using the standard port if possible

 

[Chris]

Hi,
you could maybe use the Firewall to achieve what you want. If you enable the host firewall, ssh and other management traffic is restricted to the management network by default, to which you can add further IPs if needed.
See the docs for further details and examples https://pve.proxmox.com/pve-docs/pve-admin-guide.html#chapter_pve_firewall

 

[Llewellyn Pienaar]

What I am hoping to achieve is to change the network the migration is done to the seperated network and not the external network. One of my questions was why is the migration being done on (
connect to host 123.3.23.169 port 22 and not
(connect to host 10.0.10.2 port 22 and how can I change that?

The second thing I want to know is, how can I change proxmox to communicate on port 2222 and on non-root user?

Opening up port 22 would not be best practice so why should proxmox not be able to communicate on a non-standard ssh port with a non-root user as disabling root login for SSH is also best practice. Surely there must be a way

 

[Llewellyn Pienaar]

Okay so I have done the following and have some questions still.

In /etc/ssh/sshd_conf I added port 22 and port 2222 for ssh access and both work.

So in firewall I want to only allow ssh on port 22 from a specific IP And block everyone else on port 22. But allow everyone on port 2222.

I added the following rules in firewall under
/etc/pve/nodes/Node2/host.fw

[OPTIONS]
enable: 1


[RULES]

IN ACCEPT -i eth0 -source 10.0.10.2 -p tcp -dport 22 -log notice # Allow SSH Migration (Seperated Network)
IN ACCEPT -i eth1 -source 197.242.80.66 -p tcp -dport 22 -log notice # Allow SSH Migration

But this does not block anyone else to SSH on port 22.

So I checked and pve-firewall status is disabled/running.

Did some reading and I need to enable firewall at Datacentre level but I do not want to do this. I only want to configure firewall for the node only. How do I get this to work?

Still wondering about:


Can I configure the cluster to only communicate on the seperated cluster network with multi cast enabled and IGMP on the switch

2019-06-18 13:51:29 # /usr/bin/ssh -e none -o 'BatchMode=yes' -o 'HostKeyAlias=server2' root@123.3.23.169 /bin/true
2019-06-18 13:51:29 ssh: connect to host 123.3.23.169 port 22: Connection refused
2019-06-18 13:51:29 ERROR: migration aborted (duration 00:00:00): Can't connect to destination address using public key
TASK ERROR: migration aborted

 

[Chris]

One of my questions was why is the migration being done on (
connect to host 123.3.23.169 port 22 and not
(connect to host 10.0.10.2 port 22 and how can I change that?

The cluster communicates over the network the hostname resolves to, so you will have to configure the management network for one of your NICs in /etc/network/interfaces and change the /etc/hosts accordingly. https://pve.proxmox.com/pve-docs/pve-admin-guide.html#sysadmin_network_configuration
Please note that this is not the separate corosync cluster network, which it seems you are running on 10.0.10.x and should be independent from the VM/CT/cluster traffic network.

The second thing I want to know is, how can I change proxmox to communicate on port 2222 and on non-root user?

Proxmox services need root permissions to operate, running as non-root is not possible.

Did some reading and I need to enable firewall at Datacentre level but I do not want to do this. I only want to configure firewall for the node only. How do I get this to work?

Enabling the firewall at datacenter level is necessary in order to apply the rules to each nodes firewall, but the firewall service runs locally on each node. Rules for VMs and rules for nodes apply separately, so I don't see an issue there if that's what you are worried about.
You could forward traffic on port 2222 to 22 via an iptables rule, e.g. https://serverfault.com/questions/421328/use-iptables-to-forward-ssh

 

[Llewellyn Pienaar]

Shouldn't the migration run on the seperated network? If so I will update my /etc/hosts if not I will leave it as is.

Thanks for the info.

I allowed port 22 and port 2222 for ssh and only allowed port 22 access from the seperated network via firewall and in sshd_config I only allowed root login from seperated network.

 

[Chris]

If not configured otherwise, the migration network is indeed the same network as for cluster communication. For an example on how to set-up a separate migration network please see https://pve.proxmox.com/pve-docs/pve-admin-guide.html#_guest_migration
For this you do not need to modify the hosts file.
Hope this helps.

 

[Llewellyn Pienaar]

So, all I had to do at the end of the day was to specify the migration network in datacentre.

In the console I went to Datacentre >

Then I migrated a VM without needing to open ssh port 22 or do any firewall configurations. Firewall is disabled at DC level and node level and the migration is working just fine.

Strange how there was no need to enable port 22 or do anyfirewall configs when it can simply be done by specifying the migration network onder Datacentre options.

Thanks for the help anyway.