CentOS 6 VirtualBox Server

January 12, 2014

In this article we build a desktop system that will be used exclusively for running virtualized systems. The hardware consists of an ASRock Z87 Pro3 motherboard and Intel i7-4770 CPU on which we've installed 32 GB of RAM. This specific motherboard was selected because it was known to support a standard installation of Linux without needing any tweaks, and also because it was listed as supporting VT-d in addition to VT-x.

CentOS 6.5 is installed on the desktop (which we refer throughout this article as "the server") along with the latest version of VirtualBox 4.3. We install FreeNX so that a client can remotely access the CentOS server via a GUI, and install VirtualBox extensions to provide direct GUI access to the multiple guest OS. As an extra measure we've connected a home-grade APC UPS to the server and configured apcupsd to provide graceful system shutdowns in the event of an extended power failure. We also enable smartd for monitoring the health of the hard drive, and use postfix mail transfer agent to send email alerts locally to the server administrator.

Our goal for this server is to configure it so that public key authentication is used for all remote access (command-line SSH, graphical NX access to the server, and RDP access to the guest OS). All traffic from a client to the server is tunnelled through SSH, resulting in a system that requires only one port to be exposed on the network. In turn we've hardened SSH by disabling all other default SSH authentication methods (password, gssapi-keyex, gssapi-with-mic) and defined which ciphers it can use. We also perform a slight amount of server hardening, resulting in a system that has a minimal amount of network services running.

We show all the commands that were entered on the server as well as those entered via a remote client (in our case a laptop running Ubuntu 12.04) that was used to access the server. Any command-line entry whose lines contain "user@Ubuntu" represent commands performed locally on the Ubuntu laptop such as preparing the ISOs or installing Remmina. Those with "root@Centos" represents commands executed on the CentOS server. The username (user vs root) shows whether the command was entered as a regular user or as root. The client has IP 192.168.1.100 and the CentOS server 192.168.1.200.

UPDATE: This article was originally written for CentOS 6.5, and it appears that upgrading to CentOS 6.6 causes FreeNX to not work properly. If you experience this issue one workaround is to install epel-release and check for new updates which should install updated NX libraries (yum install epel-release; yum check-update; yum update).

Pre Installation

Begin by downloading the CentOS 6.5 ISOs and copy them directly onto USB sticks using dd after having confirmed the integrity of the ISOs using sha1 or sha256. The path taken on the mirror sites to download the ISOs is /6.5/isos/x86_64/ (e.g. http://mirror.team-cymru.org/CentOS/6.5/isos/x86_64/). Note that for what we installed it turned out that the second CentOS ISO was not necessary.

user@Ubuntu:~$ sha256sum CentOS-6.5-x86_64-bin-DVD*
c796ab378319393f47b29acd8ceaf21e1f48439570657945226db61702a4a2a1
  CentOS-6.5-x86_64-bin-DVD1.iso

afd2fc37e1597c64b3c3464083c0022f436757085d9916350fb8310467123f77
  CentOS-6.5-x86_64-bin-DVD2.iso

The first command below is performed on both USB sticks to sanitize them. The second command is performed on a 8 GB stick, and the third command on a 4 GB stick (again it turned out that based upon what we selected to be installed, the second USB stick was never requested during the installation). For those not familiar with dd, understand that the commands below should only be performed if /dev/sdb represents your USB stick, otherwise you risk permanently overwriting something you did not intend to. You can use the command dmesg shortly after having inserted your USB stick to discover which device letter it is associated with.

root@Ubuntu:/# dd if=/dev/zero bs=4096 of=/dev/sdb
root@Ubuntu:/# dd if=CentOS-6.5-x86_64-bin-DVD1.iso of=/dev/sdb
root@Ubuntu:/# dd if=CentOS-6.5-x86_64-bin-DVD2.iso of=/dev/sdb

Note: As a test we tried booting our laptop from this USB stick and it never progressed further than a text line beginning with the word ISOLINUX. This same USB stick when inserted into our server worked fine. We suspect some kind of limitation with the laptop here.

Given that we are installing CentOS on a brand new system that we built ground-up and haven't used yet, we proceed to upgrade the system BIOS to the latest version, configuring it as needed (enabling VT-d and S.M.A.R.T.) and performing a full memory test when we boot off the CentOS USB stick to confirm there are no faults with the new RAM.



Installation

Once the memory test completes, we proceed to install CentOS as normal. Since we are installing CentOS from a USB stick and not from a DVD-ROM, when asked by the installer "what type of media contains the installation image" we select "hard drive" and select /dev/sdb1 which in our case represents the USB stick. At a certain point early in the CentOS installation process we received a pop-up informing us that a certain hardware component in our system would not be supported, but we ignore this and continue on (after we successfully installed CentOS and booted for the first time, we confirmed through the command "dmesg | grep UNSUPPORTED" that it was only the HDMI Audio component of the motherboard that was not supported).

We proceed through the CentOS installer as normal. For disk partitioning, select "use all space" (we are not dual booting) and check the "review and modify partitioning layout" checkbox at the bottom. Select your hard drive as the installation target, and modify the default partition configuration if needed. In our case we reduced the size of /home, and added a large /opt partition which will be the installation path for our various guest OS. In the end our partition layout looks roughly as follows:

/       55 GB
/boot   500 MB
/home   105 GB
/opt    825 GB
swap    16 GB

Continuing with the installation, when prompted about what type of system to install, we select the "Basic Server" radio button and the "Customize now" button at the bottom.

In the following customization screen we added the following components:

Application | Internet Browser
Base System | Hardware monitoring utilities | lm_sensors
Base System | Networking Tools | (select nmap and nc, uncheck the others)
Desktops | Desktop
Desktops | Desktop Debugging and Performance Tools
Desktops | Desktop Platform
Desktops | Fonts
Desktops | General Purpose Desktop
Desktops | Graphical Administration Tols
Desktops | Legacy X Windows System compatibility
Desktops | Remote Desktop Clients
Desktops | X Window System

We unselected the following components:

Base System | Directory Client | ypbind
Base System | Java Platform
Base System | Network file system client

The actual installation will begin. Reboot when prompted, create your username and password, and uncheck the "Enable kdump" checkbox (your system will reboot again).

Post Installation Hardening

Log into the server and change iptables to permit SSH access from your client only:

[root@Centos ]# nano /etc/sysconfig/iptables

For the following entry:

-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

We change this to:

-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -s 192.168.1.100 -j ACCEPT

And restart iptables and review the firewall rules:

[root@Centos ]# /etc/init.d/iptables restart
[root@Centos ]# /etc/init.d/iptables status

Next make sure you install any missing security updates, and reboot if needed:

[root@Centos ]# yum check-update
[root@Centos ]# yum update

We now proceed to change which services startup automatically. Below is the default:

[root@Centos ]# chkconfig --list
NetworkManager 	0:off	1:off	2:on	3:on	4:on	5:on	6:off
abrt-ccpp      	0:off	1:off	2:off	3:on	4:off	5:on	6:off
abrtd          	0:off	1:off	2:off	3:on	4:off	5:on	6:off
acpid          	0:off	1:off	2:on	3:on	4:on	5:on	6:off
atd            	0:off	1:off	2:off	3:on	4:on	5:on	6:off
auditd         	0:off	1:off	2:on	3:on	4:on	5:on	6:off
autofs         	0:off	1:off	2:off	3:on	4:on	5:on	6:off
blk-availability	0:off	1:on	2:on	3:on	4:on	5:on	6:off
bluetooth      	0:off	1:off	2:off	3:on	4:on	5:on	6:off
certmonger     	0:off	1:off	2:off	3:on	4:on	5:on	6:off
cgconfig       	0:off	1:off	2:off	3:off	4:off	5:off	6:off
cgred          	0:off	1:off	2:off	3:off	4:off	5:off	6:off
cpuspeed       	0:off	1:on	2:on	3:on	4:on	5:on	6:off
crond          	0:off	1:off	2:on	3:on	4:on	5:on	6:off
cups           	0:off	1:off	2:on	3:on	4:on	5:on	6:off
dnsmasq        	0:off	1:off	2:off	3:off	4:off	5:off	6:off
firstboot      	0:off	1:off	2:off	3:off	4:off	5:off	6:off
haldaemon      	0:off	1:off	2:off	3:on	4:on	5:on	6:off
htcacheclean   	0:off	1:off	2:off	3:off	4:off	5:off	6:off
httpd          	0:off	1:off	2:off	3:off	4:off	5:off	6:off
ip6tables      	0:off	1:off	2:on	3:on	4:on	5:on	6:off
iptables       	0:off	1:off	2:on	3:on	4:on	5:on	6:off
irqbalance     	0:off	1:off	2:off	3:on	4:on	5:on	6:off
kdump          	0:off	1:off	2:off	3:off	4:off	5:off	6:off
lm_sensors     	0:off	1:off	2:off	3:off	4:off	5:off	6:off
lvm2-monitor   	0:off	1:on	2:on	3:on	4:on	5:on	6:off
mcelogd        	0:off	1:off	2:off	3:on	4:off	5:on	6:off
mdmonitor      	0:off	1:off	2:on	3:on	4:on	5:on	6:off
messagebus     	0:off	1:off	2:on	3:on	4:on	5:on	6:off
netconsole     	0:off	1:off	2:off	3:off	4:off	5:off	6:off
netfs          	0:off	1:off	2:off	3:on	4:on	5:on	6:off
network        	0:off	1:off	2:on	3:on	4:on	5:on	6:off
nfs            	0:off	1:off	2:off	3:off	4:off	5:off	6:off
nfslock        	0:off	1:off	2:off	3:on	4:on	5:on	6:off
ntpd           	0:off	1:off	2:off	3:off	4:off	5:off	6:off
ntpdate        	0:off	1:off	2:off	3:off	4:off	5:off	6:off
numad          	0:off	1:off	2:off	3:off	4:off	5:off	6:off
oddjobd        	0:off	1:off	2:off	3:off	4:off	5:off	6:off
portreserve    	0:off	1:off	2:on	3:on	4:on	5:on	6:off
postfix        	0:off	1:off	2:on	3:on	4:on	5:on	6:off
psacct         	0:off	1:off	2:off	3:off	4:off	5:off	6:off
quota_nld      	0:off	1:off	2:off	3:off	4:off	5:off	6:off
rdisc          	0:off	1:off	2:off	3:off	4:off	5:off	6:off
restorecond    	0:off	1:off	2:off	3:off	4:off	5:off	6:off
rngd           	0:off	1:off	2:off	3:off	4:off	5:off	6:off
rpcbind        	0:off	1:off	2:on	3:on	4:on	5:on	6:off
rpcgssd        	0:off	1:off	2:off	3:on	4:on	5:on	6:off
rpcsvcgssd     	0:off	1:off	2:off	3:off	4:off	5:off	6:off
rsyslog        	0:off	1:off	2:on	3:on	4:on	5:on	6:off
saslauthd      	0:off	1:off	2:off	3:off	4:off	5:off	6:off
smartd         	0:off	1:off	2:off	3:off	4:off	5:off	6:off
spice-vdagentd 	0:off	1:off	2:off	3:off	4:off	5:on	6:off
sshd           	0:off	1:off	2:on	3:on	4:on	5:on	6:off
sssd           	0:off	1:off	2:off	3:off	4:off	5:off	6:off
sysstat        	0:off	1:on	2:on	3:on	4:on	5:on	6:off
udev-post      	0:off	1:on	2:on	3:on	4:on	5:on	6:off
wdaemon        	0:off	1:off	2:off	3:off	4:off	5:off	6:off
winbind        	0:off	1:off	2:off	3:off	4:off	5:off	6:off
wpa_supplicant 	0:off	1:off	2:off	3:off	4:off	5:off	6:off

Disable the following services:

[root@Centos ]# chkconfig bluethooth off
[root@Centos ]# chkconfig cups off
[root@Centos ]# chkconfig rpcbind off
[root@Centos ]# chkconfig rpcgssd off
[root@Centos ]# chkconfig nfslock off
[root@Centos ]# chkconfig portreserve off

Perform the following action to limit core dumps:

[root@Centos ]# nano /etc/security/limits.conf

Add the following entry above the line "# End of file":

* hard core 0

Perform the following to set the default umask:

[root@Centos ]# nano nano /etc/sysconfig/init

Add the following entry at the bottom of the file:

umask 027

Open /etc/sysctl.conf for editing:

[root@Centos ]# nano /etc/sysctl.conf

The following entries are enabled by default in CentOS 6, but as a precaution we are defining them explicitly here by adding these to the bottom of this configuration file:

fs.suid_dumpable = 0
kernel.exec-shield = 1
kernel.randomize_va_space = 2

Also add the following lines at the bottom of this same file to disable all types of ICMP redirects:

net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0

Delete unecessary packages:

[root@Centos ]# yum erase certmonger httpd perl-CGI

You can optionally delete cups as well (instead of only disabling it as we did above) if it's unlikely that you'll ever use this system for printing:

[root@Centos ]# yum erase cups

Enable Public Key Authentication

We proceed to create a RSA keypair so that we can enable public key authentication to the server. The following is performed on the client that will remotely access the CentOS server. We use a 3072-bit key but you may increase this if you wish. Refer to keylength.com for guidance:

user@Ubuntu:~$ ssh-keygen -t rsa -b 3072
Generating public/private rsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/user/.ssh/id_rsa.
Your public key has been saved in /home/user/.ssh/id_rsa.pub.

Enter the following to copy your public key to the CentOS server:

user@Ubuntu:~/$ ssh-copy-id -i ~/.ssh/id_rsa.pub 192.168.1.200
user@192.168.1.200's password: 
Now try logging into the machine, with "ssh '192.168.1.200'", and check in:

After having logged into the server via public key, we modify sshd to disable password-based authentication and remote root login, as well as a few other changes.

[root@Centos ]# nano /etc/ssh/sshd_config

For the following entry:

#PasswordAuthentication yes

We change this to:

PasswordAuthentication no

For the following entry:

#PermitRootLogin yes

We change this to:

PermitRootLogin no

For the following entry:

#MaxAuthTries 6

We change this to:

MaxAuthTries 4

For the following entry:

GSSAPIAuthentication yes

We change this to the following (this will remove the last two authentication options - gssapi-keyex and gssapi-with-mic - so that only publickey authentication remains):

GSSAPIAuthentication no

Lastly we add the following two entries at the bottom of the configuration file:

Ciphers aes128-ctr,aes192-ctr,aes256-ctr
MACs hmac-sha1,hmac-ripemd160,hmac-sha2-256,hmac-sha2-512

Restart sshd so that it takes the new settings:

[root@Centos ]# /etc/init.d/sshd restart

Close your existing SSH session, and SSH back into the CentOS server and tail /var/log/secure to confirm that everything still works. You should notice lines stating "Accepted publickey" instead of "Accepted password" (highlighted in white below) for your authentication:

[root@Centos ]# tail /var/log/secure | grep sshd
Centos sshd[14611]: Accepted password for user from 192.168.1.100 port 34749 ssh2
Centos sshd[14611]: pam_unix(sshd:session): session opened for user user by (uid=0)
Centos sshd[14615]: Received disconnect from 192.168.1.100: 11: disconnected by user
Centos sshd[14611]: pam_unix(sshd:session): session closed for user user
Centos sshd[14630]: Accepted publickey for user from 192.168.1.100 port 34750 ssh2
Centos sshd[14630]: pam_unix(sshd:session): session opened for user user by (uid=0)

Installing FreeNX

Install FreeNX in order to enable remote graphical access to the server:

[root@Centos ]# yum install freenx
[root@Centos ]# /etc/nxserver
[root@Centos nxserver]# nano -w node.conf

For the following entry:

#ENABLE_PASSDB_AUTHENTICATION="0"

We change this to:

ENABLE_PASSDB_AUTHENTICATION="1"

For the following entry:

#ENABLE_FORCE_ENCRYPTION="0"

We change this to:

ENABLE_FORCE_ENCRYPTION="1"

Add a user and set their password:

[root@Centos nxserver]# nxserver --adduser user
NX> 100 NXSERVER - Version 3.2.0-74-SVN OS (GPL, using backend: not detected)
NX> 1000 NXNODE - Version 3.2.0-74-SVN OS (GPL, using backend: not detected)
NX> 716 Public key added to: /home/user/.ssh/authorized_keys2
NX> 1001 Bye.
NX> 999 Bye

[root@Centos nxserver]# nxserver --passwd user

On the server in /etc/nxserver/ grab the contents of client.id_dsa.key and save it somewhere secure (not world readable) in your home directory on your client system. You will need to specify this key later on when configuring Remmina.

Install the Remmina NX plugin on your Ubuntu client so that you can connect to NX, but don't proceed to configure Remmina yet (this will be done later):

root@Ubuntu:/# apt-get install remmina-plugin-nx

Install VirtualBox

In CentOS change to the /etc/yum.repos.d/ directory and download the VirtualBox repo file into your yum repository. With this you'll be able to install VirtualBox through yum and updates for VirtualBox will also be included whenever you run the yum update command:

[root@Centos ]# cd /etc/yum.repos.d/
[root@Centos ]# wget http://download.virtualbox.org/virtualbox/rpm/rhel/virtualbox.repo

Take a look at the contents of the downloaded repo file to confirm that gpgcheck is enabled (gpgcheck=1) and to verify the location of the gpg key:

[root@Centos ]# cat virtualbox.repo
[virtualbox]
name=Oracle Linux / RHEL / CentOS-$releasever / $basearch - VirtualBox
baseurl=http://download.virtualbox.org/virtualbox/rpm/el/$releasever/$basearch
enabled=1
gpgcheck=1
gpgkey=http://download.virtualbox.org/virtualbox/debian/oracle_vbox.asc

Verify the fingerprint of the gpg key in order confirm that the key downloaded belongs to virtualbox.org. In the command below the character surrounded by a dashes before the pipe is an uppercase letter "O" (not zero):

[root@Centos yum.repos.d]# wget -q http://download.virtualbox.org/virtualbox/debian/oracle_vbox.asc -O- | gpg --quiet --with-fingerprint
gpg: new configuration file `/root/.gnupg/gpg.conf' created
gpg: WARNING: options in `/root/.gnupg/gpg.conf' are not yet active during this run
pub  1024D/98AB5139 2010-05-18 Oracle Corporation (VirtualBox archive signing key) 
      Key fingerprint = 7B0F AB3A 13B9 0743 5925  D9C9 5442 2A4B 98AB 5139
sub  2048g/281DDC4B 2010-05-18

Proceed with installing VirtualBox (Note that the "B" in VirtualBox below is in uppercase). When prompted about the GPG key enter Y as long as the key ID matches the one above:

[root@Linux ]# yum install VirtualBox-4.3
Setting up Install Process
.
<snip>
.
Downloading Packages:
VirtualBox-4.3-4.3.6_91406_el6-1.x86_64.rpm
warning: rpmts_HdrFromFdno: Header V4 DSA/SHA1 Signature, key ID 98ab5139: NOKEY
Retrieving key from http://download.virtualbox.org/virtualbox/debian/oracle_vbox.asc
Importing GPG key 0x98AB5139:
 Userid: "Oracle Corporation (VirtualBox archive signing key) <info@virtualbox.org>"
 From  : http://download.virtualbox.org/virtualbox/debian/oracle_vbox.asc
Is this ok [y/N]:
.
<snip>
.
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing : VirtualBox-4.3-4.3.6_91406_el6-1.x86_64

Creating group 'vboxusers'. VM users must be member of that group!

No precompiled module for this kernel found -- trying to build one. Messages
emitted during module compilation will be logged to /var/log/vbox-install.log.

Stopping VirtualBox kernel modules [  OK  ]
Recompiling VirtualBox kernel modules [FAILED]
  (Look at /var/log/vbox-install.log to find out what went wrong)
  Verifying  : VirtualBox-4.3-4.3.6_91406_el6-1.x86_64

Installed:
  VirtualBox-4.3.x86_64 0:4.3.6_91406_el6-1

Complete!

We can see from the output above that something failed and we are advised to examine /var/log/vbox-install.log to see what went wrong. In our case this log file contains the following:

Makefile:183: *** Error: unable to find the sources of your current Linux kernel. Specify KERN_DIR=<directory> and run Make again. Stop.

We fix this issue by completing the following additional steps. Install the following three packages:

[root@Centos ]# yum install kernel-headers kernel-devel gcc

Next confirm the version of your current kernel release:

[root@Centos ]# uname -r
2.6.32-431.1.2.0.1.el6.x86_64

Check /usr/src/kernels/ to confirm that a directory for the version of your current kernel release exists (this directory should exist after the installation of the packages above):

[root@Centos ]# ls /usr/src/kernels/
2.6.32-431.1.2.0.1.el6.x86_64

Above we see a match for "2.6.32-431.1.2.0.1.el6.x86_64". Specify and export the KERN_DIR parameter making sure to match the release version with whichever one is current for your system:

[root@Centos ]# KERN_DIR=/usr/src/kernels/2.6.32-431.1.2.0.1.el6.x86_64
[root@Centos ]# export KERN_DIR

Echo KERN_DIR to confirm that you've set it up properly:

[root@Centos ]# echo $KERN_DIR
/usr/src/kernels/2.6.32-431.1.2.0.1.el6.x86_64

Finally re-run vboxdrv setup. This step may take a while to complete. Note that you will need to re-enter the command below every time you install a new kernel version such as through yum updates:

[root@Centos ]# /etc/init.d/vboxdrv setup
Stopping VirtualBox kernel modules                         [  OK  ]
Recompiling VirtualBox kernel modules                      [  OK  ]
Starting VirtualBox kernel modules                         [  OK  ]

Add your user account to the vboxusers group, where user is your respective username:

[root@Centos ]# usermod -a -G vboxusers user

Finally in our case we also changed the ownership of /opt since that will be the location where we install the guest OS instead of in /home:

[root@Centos ]# chown root:vboxusers /opt

Install VirtualBox Extension

The following steps are required in order to provide graphical remote access to the guest OS. Download and install the VirtualBox extension pack:

[user@Centos ]$ wget http://download.virtualbox.org/virtualbox/4.3.6/
                     Oracle_VM_VirtualBox_Extension_Pack-4.3.6-91406.vbox-extpack

(at this time of writing its sha256 is 983f87e4746a2e6739090d0ce905c24a71e209e87f11c449bdc3d0ca5bb4fde2).

This next step needs to be performed while logged into CentOS GUI (i.e. not simply through a remote SSH connection). Open a terminal window and change to the root account. Enter the following command which will launch VirtualBox as root, as the extension pack needs to be installed through a privileged account:

[root@Centos ]# /usr/bin/virtualbox

In VirtualBox click on File | Preferences | Extensions, click the Add package button to the right, and select the extension pack that you downloaded (Oracle_VM_VirtualBox_Extension_Pack-4.3.6-91406.vbox-extpack). Close VirtualBox and launch it again as your regular non-root user to confirm its presence.

So now whenever you create a guest OS that you want to be able to access remotely via a GUI, in VirtualBox click on its settings, then Display | Remote Display, and check "Enable Server". If you enable this and boot up this guest on, you will notice in the CentOS server if you run the netstat command that TCP port 3389 is listening for connections. But we do not need to create a firewall rule for this port as we will tunnel our RDP traffic over SSH.

We have now completed the main steps. What follows are instructions on how to use the system, as well as the optional steps of installing apcupsd and smartd.

Using command-line vboxmanage

You can use the extensive vboxmanage command to remotely manage your guest OS through the command line. Below are a few basic commands.

To list all available virtual machines:

[user@Centos ]$ vboxmanage list vms
"Kali" {5db655bb-9d47-8afa-765c-5eadd4690212}
"Fedora Core" {d44f1be7-6a08-780c-7a4b-8a4f68eec775}

To start the virtual machine called Kali:

[user@Centos ]$ vboxmanage startvm Kali --type headless
Waiting for VM "Kali" to power on...
VM "Kali" has been successfully started.

To send a reset to Kali:

[user@Centos ]$ vboxmanage controlvm Kali reset

To power off Kali:

[user@Centos ]$ vboxmanage controlvm Kali poweroff
0%...10%...20%...30%...40%...50%...60%...70%...80%...90%...100%

To disconnect the network cable for Kali:

[user@Centos ]$ vboxmanage modifyvm Kali --cableconnected1 off

To see which VMs are currently running:

[user@Centos ]$ vboxmanage list runningvms
"Fedora Core" {d44f1be7-6a08-780c-7a4b-8a4f68eec775}

Remotely accessing CentOS server GUI

To remotely access the CentOS server's GUI, we use Remmina. Create a new entry in Remmina on your client system and select "NX - NX Technology" in the protocol drop-down menu. If you don't see an entry for NX in the protocol drop-down menu, make sure that you have installed the package remmina-plugin-nx. Your Remmina client also needs to be version 0.8.0 or later to support NX.

On the Basic tab we enter the following, where 192.168.1.200 is the IP of the CentOS server:

Server: 192.168.1.200
Identity file: (checkmark this entry and select the file /etc/nxserver/client.id_dsa.key that was copied earlier on from CentOS to your client when you finished installing FreeNX).
User name: <your CentOS user name>
Quality: Medium or higher, depending on your network

Click on the SSH tab and set the following:

Enable SSH tunnel: (checkmark this entry)
User name: <your user name>
Identity file: (select this radio button, and select your private id_rsa key, i.e. /home/user/.ssh/id_rsa)

When you connect to the server you will first be prompted to enter your SSH private key passphrase. Then you will be prompted to enter your FreeNX password. After that you should see your CentOS desktop appear.

Remotely accessing guest OS GUI

We use Remmina to remotely connect to a guest OS via a GUI. First in that VM setting ensure that "Enable Server" is checked, as described above. Then in Remmina create a new entry, select RDP in the protocol drop-down, click on the Basic tab and set the following values. The server IP should be the IP of your CentOS server, and not the IP of your guest OS:

Server: 192.168.1.200
Color depth: High color (15 bpp) or higher, depending on your network

Click on the Advanced tab and set the following:

Quality: Medium or higher, depending on your network
Security: RDP

Click on the SSH tab and set the following:

Enable SSH tunnel: (checkmark this entry)
User name: <your CentOS user name>
Public key (automatic): (select this radio button)

Then save the entry, boot up your guest OS (you can use the command "vboxmanage startvm <VM name> --type headless" through an existing SSH connection) and click on connect in Remmina to remotely access that VM. For connecting to multiple different guest OS that are running simultaneously, it is simply a matter of specifying a unique port for each guest OS. So for example for the first guest OS we select the following in Remmina for the server IP:

Server: 192.168.1.200

Which defaults the port to 3389. For the second guest OS, in Remmina we can specify the next available port in the server field, such as 3388:

Server: 192.168.1.200:3388

And in VirtualBox, under that VM's settings under Display | Remote Display, for the server port specify 3388 instead of the default 3389.

We are complete for everything related to VirtualBox! The steps below are optional and relate to UPS and health monitoring.

Optional: APC UPS

We configure a standalone APC UPS by going to Apcupsd UPS control software and downloading the latest version of the 64-bit RPM (currently apcupsd-3.14.10-1.el5.x86_64.rpm - we are aware that this is el5). We then install the RPM and modify apcupsd.conf:

[root@Centos ]# rpm -Uvh apcupsd-3.14.10-1.el5.x86_64.rpm
[root@Centos ]# cd /etc/apcupsd
[root@Centos ]# nano -w apcupsd.conf

Our server's communication channel with the UPS is via USB cable which simplifies some of the configuration. In apcupsd.conf we modify the entry for UPSNAME where we specify a name for our UPS, and change "NISIP 0.0.0.0" to "NISIP 127.0.0.1" so that this process listens for connections on the loopback address only. You can optionally modify entries such as BATTERYLEVEL, MINUTES, and TIMEOUT to your liking in order to define at which point during a power outage the server should initiate a shut down. Once done configuring, we start the apcupsd daemon, check its status, and configure it to start up automatically:

[root@Centos ]# /etc/init.d/apcupsd start
[root@Centos ]# /etc/init.d/apcupsd status
[root@Centos ]# chkconfig apcupsd on

If you wish to receive email notifications whenever there are UPS issues, in /etc/apcupsd/ you can modify each of the following files and change the entry "SYSADMIN=root" to "SYSADMIN=user" where user is a local user on your CentOS server to send the emails to (below we show how to use postfix). Restart apcupsd after implementing these changes.

changeme
commfailure
commok
offbattery
onbattery

On a side note, our server imposes a load of 15% on our UPS. According to this model's specifications this would give our UPS a 95% efficiency (image below taken from APC) which goes to show that for non-enterprise use you do not want to oversize your UPS if you are concerned about energy efficiency.

Optional: SMART Disk Monitoring Daemon

We configure smartd for monitoring the server hard drive. First we made sure to enable S.M.A.R.T. in the BIOS. Note that the configuration of smartd is highly dependant upon your hardware and setup. We recommend that you review the man pages for smartd.conf and smartd before enabling smartd.

For our system we modified /etc/smartd.conf and added the entry below. The -H enables checking the health status of the disk, the -W 0,40,45 will log an informal message whenever the hard drive temperature reach 40 degrees, and generate a warning when temperatures reach 45 degrees, and finally the -s S/../../1/02 will schedule a short HDD health test every Monday between 2:00 and 3:00 AM:

/dev/sda -H -W 0,40,55 -s S/../../1/02

Note: If you wish to send email alerts on issues detected, add the following to the end of the line above, where user@centos is a local user on your CentOS server to send the emails to:

-m user@centos

We then manually start smartd and set it to start upon bootup:

[root@Centos ]# /etc/init.d/smartd start
[root@Centos ]# chkconfig smartd on

Below are a few helpful commands related to smartd. The first outputs a lot of information regarding your hard drive. The second is to initiate a short health test of your hard drive (a few minutes), and the third a long health test (over an hour). The fourth is to see the results of any self test. The fifth is to view all smartd related messages.

[root@Centos ]# smartctl -x /dev/sda
[root@Centos ]# smartctl -t short /dev/sda
[root@Centos ]# smartctl -t long /dev/sda
[root@Centos ]# smartctl -l selftest /dev/sda
[root@Centos ]# grep smartd /var/log/messages

Optional: Postfix mail

Finally we show how to test the internal postfix mail transfer agent if you've configured the APC UPS and smartd to send emails locally. We are not performing any configuration on postfix but rather simply showing how email alerts would work. Use netcat on the server to connect its TCP port 25 and manually generate an email:

[user@Centos ]$ nc -v localhost 25
Connection to localhost 25 port [tcp/smtp] succeeded!
220 centos.localdomain ESMTP Postfix
MAIL FROM:user@centos
250 2.1.0 Ok
RCPT TO:user@centos
250 2.1.5 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
Subject: This is a test
test body
.
250 2.0.0 Ok: queued as A82C1795DD
QUIT

Upon quitting you should immediately see the following text appear in your session:

You have new mail in /var/spool/mail/user

Now enter mail to start your mail client. Then press numerical value 1 to read our first email, then delete 1 to delete it, then quit to quit:

[user@Centos ]$ mail
Heirloom Mail version 12.4 7/29/08.  Type ? for help.
"/var/spool/mail/user": 1 message 1 new
>N  1 user@centos.localdom  Wed Jan  1 13:48  15/542   "This is a test"

& 1
Message  1:
From user@centos.localdomain  Wed Jan  1 13:48:29 2014
Return-Path: <user@centos.localdomain>
X-Original-To: user@centos.localdomain
Delivered-To: user@centos.localdomain
Subject: This is a test
Date: Wed,  1 Jan 2014 13:48:05 -0500 (EST)
From: user@centos.localdomain
To: undisclosed-recipients:;
Status: R

test body 

& delete 1
& quit