Virtual Box Headless

This will give you the proper run down on how to configure Virtual Box on a headless machine with phpVirtualBox. I have seen many posts and they all miss parts and or don't cover SSL and worst of all tell you to disable SELinux / Firewall. That is just laziness. So enjoy..

Rational

You might be asking, why not use ESX, Xen or KVM? To be honest I am lazy. I use Virtual Box on my laptop and if I want to move a VM from my laptop to the server, I just move it. There is no need for export / import ova / ovf's. You just move the "machine name" directory over, change network settings and boot. Done and done.

OS Setup

First you will need a minimal install of CentOS 7 x64. This can be on almost any physical hardware, but you will want to make sure you have enough CPU, RAM and DiskSpace to run VMs.

If you want to run x64 VMs you will need to check your proc.

 egrep '(vmx|svm)' --color=always /proc/cpuinfo

It will return some text and you will see "vmx" or "svm" highlighted.

Let's install some packages.

 sudo yum -y install vim iptables-services bash-completion net-tools SDL kernel-devel kernel-headers dkms httpd mod_ssl php php-gd php-pear php-soap htop unzip policycoreutils-python 

 sudo systemctl disable postfix.service firewall.service 

 sudo systemctl enable ip6tables.services iptables.services httpd.service

Setup iptables

 sudo vim /etc/sysconfig/ip6tables 

If you are not using IPv6 remove the line allowing port 22 and add the following line.

 -A FORWARD -j REJECT --reject-with icmp6-adm-prohibited 
 -A INPUT -j DROP
 COMMIT 

Now let's setup IPv4 Tables

sudo vim /etc/sysconfig/iptables

Add the following lines

-A INPUT -s "trusted ip"/32 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -s "trusted ip"/32 -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A INPUT -s "trusted ip"/32 -m state --state NEW -m tcp -p tcp --dport 9000:9100 -j ACCEPT
-A INPUT -j DROP
COMMIT

If you don't want to lock this down to trusted IPs remove that sections.

Now setup ssh to use higher ciphers and only allow your normal user to ssh in.

sudo vim /etc/ssh/sshd_config

Add / edit the following. I would also setup a SSH Key for the user to be safe. I will not cover that here as there are many many posts that cover this in detail.

# Ciphers and keying
#RekeyLimit default none
Ciphers aes256-ctr
MACs hmac-sha2-256
KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256
AllowUsers "normal user name"

PermitRootLogin no 

If you never plan on using Putty you can lock down ssh ciphers even more.

HostKeyAlgorithms [email protected],[email protected],ssh-ed25519,ssh-rsa,[email protected],[email protected],ecdsa-sha2-nistp521,ecdsa-sha2-nistp384
KexAlgorithms [email protected]
MACs [email protected],[email protected],[email protected]
Ciphers aes256-ctr,[email protected]

Okay time to update and reboot to apply Kernels

sudo yum -y update && reboot

Virtual Box Setup

Now that you have rebooted and applied updates we can start setting up Vbox.

cd /etc/yum.repos.d/
wget http://download.virtualbox.org/virtualbox/rpm/el/virtualbox.repo
wget -q http://download.virtualbox.org/virtualbox/debian/oracle_vbox.asc
rpm --import oracle_vbox.asc
yum update && yum -y install VirtualBox-5.2

Add a user just for managing VBox. Note you can add any username you want. Just remember the uname / passwd for later.

adduser vboxuser
passwd  "your password"

Add this user to the vbox group

usermod -G vboxusers vboxuser

Make sure Virtual Box starts on boot

systemctl enable vboxdrv.service vboxweb-service.service

Install the Virtual Box Extension Pack Fist find the newest version from VirtualBox.org

wget "Url of the latest Extension Pack"
sudo VBoxManage extpack install "Name of the Extension Pack"

When there is an update to Virtual Box you will need to update the extension pack

wget "Url of the latest Extension Pack"
sudo VBoxManage extpack install --replace "Name of the Extension Pack"

From here you can start crating machines from the CLI. Again I am not going to cover this here as it is well documented. Let's move on to phpVirtualBox install.

phpVirtualBox Install

Remove the apache welcome page, it is useless.

sudo rm -rf /etc/httpd/conf.d/welcome.conf

Download the latest phpVirtualBox and while we are at it get the Virtual Box SDK. We will need this as the current version of phpVirtualBox (5.0.5) does not support VirtualBox-5.2 out of the box.

You can get the SDK from VirtualBox.org

wget "phpVirtualBox URL"
wget "Virtual Box SDK"

Okay now unzip and move phpVirtualBox to the proper place.

unzip phpvirtualbox-5.0.5.zip
sudo mv phpvirtualbox-5.0.5 /var/www/html/phpvirtualbox
sudo cp /var/www/html/phpvirtualbox/config.php-example /var/www/html/phpvirtualbox/config.php

Setup the user we created earlier.

sudo vim /var/www/html/phpvirtualbox/config.php

Change the details of

var $username = 'vboxuser';
var $password = 'passwd';

Set the user to manage VBOXWEB

sudo vim /etc/default/virtualbox

Add the line

VBOXWEB_USER=vboxuser

Now let's sort out SELinux before it starts throwing a fit.

sudo semanage port -a -t http_port_t -p tcp 18083
sudo semanage fcontext -a -t httpd_sys_script_exec_t '/var/www/html(/.*)?'
sudo restorecon -R -v /var/www/html/

Restart some services to apply settings.

systemctl restart vboxweb-service

Apache Setup

Now on to the fun part. We are going to get up Apache to run over SSL (with higher ciphers) and default to https://machineip not https://machineip/phpvirtualbox.. because that is annoying.

For this part you should have a cert signed either by something external or have your own CA setup. I have had a internal CA setup for years on a headless *nix machine. However I ran across this the other day CA Setup. This is much more in-depth from what I have setup but it also includes a revocation list. Which is pretty damn cool.

You can use the default SSL Cert that is generated when mod_ssl is installed, but that is not a good idea either. At the very least you should generate a self signed cert.

Anyway I digress, let's setup Apache.

sudo vim /etc/httpd/conf/httpd.conf

Add the following lines

ServerRoot "/etc/httpd"
ServerSignature Off
ServerTokens Prod

Now edit the SSL Side

 sudo vim /etc/httpd/conf.d/ssl.conf

First comment out

SSLProtocol all -SSLv2
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA

Then add the following lines just under SSLEngine on

SSLEngine on
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
SSLProtocol All -SSLv2 -SSLv3 -TLSv1
Header add Strict-Transport-Security: "max-age=15768000;includeSubdomains"
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;"
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384   EECDH+aRSA+SHA256 EECDH EDH+aRSA !ECDHE-RSA-AES128-GCM-SHA256 !ECDHE-RSA-AES128-SHA256 !DHE-RSA-AES128-GCM-SHA256 !DHE-RSA-AES128-SHA256 !EECDH+aRSA+RC4 !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !SSLv3 !SSLv2 !TLSv1"

Now change the Document Root

DocumentRoot "/var/www/html/phpvirtualbox"

Once you have a legit cert or a self signed cert you can modify the SSLCertificateFile and SSLCertificateKeyFile to match your new certs.

Fix php so it does not show any info

sudo vim /etc/php.ini

Edit the following

expose_php = Off

Restart Apache

sudo systemctl restart httpd.service

Fixing phpVirtualBox

I mentioned this earlier, phpVirtualBox does not work with 5.2 out of the box. So we get to fix that as well.. Here we go.

Unzip the SDK we pulled down earlier

unzip VirtualBoxSDK-5.2.0-118431.zip

Edit Version Number on phpVirtualBox

 sudo vim /var/www/html/phpvirtualbox/endpoints/lib/config.php

Change the following

('PHPVBOX_VER', '5.2-0')

Copy the following files

sudo cp sdk/bindings/webservice/vboxweb.wsdl /var/www/html/phpvirtualbox/endpoints/lib/vboxweb-5.2.wsdl
sudo cp sdk/bindings/webservice/vboxwebService.wsdl /var/www/html/phpvirtualbox/endpoints/lib/vboxwebService-5.2.wsdl

Edit the vboxwebService-5.2.wsdl

sudo vim /var/www/html/phpvirtualbox/endpoints/lib/vboxwebService-5.2.wsdl

Change the following

<import location="vboxweb-5.2.wsdl" namespace="http://www.virtualbox.org/"/>

Restart vboxweb and apache

systemctl restart vboxweb-service && systemctl restart httpd.service

That was pretty painless. However this might have to happen when VBox updates. I am not sure just yet as there has not been an update from 5.2.0 just yet. I will update this when there is an update.

** Update ** Point releases seem to be fine, you will only have to redo the SDK stuff on major releases (5.3.x, 5.4.x,etc). One thing I did find, it would not let me update with the VMs paused. You have to shutdown to upgrade.

Console Access to VMs

So phpVirtualBox wants to use Flash for console access. I don't know about you, but I don't keep flash installed on my machine. There is a pretty easy trick to get around this.

Browse to https://MachineIP/ Login with default creds admin / admin CHANGE THIS ASAP

Now when you create a VM or have a running VM you will see the "Display" section. You can enable "console access" from there settings. Remember those ports 9000:9100 we added to IPTables earlier? We are about to use those.

Things to keep in mind here. If you have more than one console enabled at a time you will need to use the appropriate port (9000, 9001, etc). This port is also un-authnicated so I would not leave it on all the time, disable it when you are not using it!

On macOS just install RDesktop

 brew install freerdp

Then to connect

 xfreerdp machineip:9000 (or whatever port)

You can also use the MS RDP App (from the App Store) if you have it installed.

On Windows you can use RDP

machineip:9000 (or whatever port)

On Linux you can use any RDP tool. I don't use Linux with a GUI to often so I am not sure which one is the best. The connection will just like Win and macOS

machineip:9000 (or whatever port)

That is about it. Enjoy using Virtual Box on a headless machine.