Secure Bitcoin Wallet VM with Vagrant & SSH 2FA

TL;DR

This guide shows you how to create a secure Virtual Machine (VM) using Vagrant, and then connect to it safely using SSH with Two-Factor Authentication (2FA). This is ideal for running your bitcoin wallet in an isolated environment.

Prerequisites

• Vagrant: Download and install from https://www.vagrantup.com
• VirtualBox: Download and install from https://www.virtualbox.org (Vagrant uses this to run the VM).
• SSH Client: Most Linux/macOS systems have this built-in. Windows users can use PuTTY or WSL.

Step 1: Create a Vagrantfile

A Vagrantfile describes your VM. Let’s create one.

1. Open a terminal/command prompt and navigate to the directory where you want to store your VM files.
2. Run:

   vagrant init ubuntu/focal64

   . This creates a basic Vagrantfile using Ubuntu 20.04 as the base image. You can choose other images if preferred (e.g., debian/bullseye64).

3. Edit the Vagrantfile with a text editor. Add port forwarding and synced folders as needed. For example:

   
   Vagrant.configure("2") do |config|
     # Port forwarding (e.g., for a web server)
     config.vm.network "forwarded_port", guest: 80, host: 8080
   
     # Synced folder (share files between your computer and the VM)
     config.vm.synced_folder "./shared", "/home/vagrant/shared"
   end

Step 2: Start the VM

Now, start the VM.

1. In your terminal, navigate to the directory containing the Vagrantfile.
2. Run:

   vagrant up

   . This will download the Ubuntu image (if it’s the first time) and create/start the VM.

Step 3: Connect to the VM via SSH

Once the VM is running, connect using SSH.

1. Run:

   vagrant ssh

   . This automatically connects you to the VM as the ‘vagrant’ user.

Step 4: Install and Configure OpenSSH

Ensure OpenSSH is installed and running on your VM.

1. Inside the VM (after connecting with vagrant ssh), run:

   sudo apt update && sudo apt install openssh-server -y

   .

2. Check SSH status:

   sudo systemctl status ssh

   . It should be ‘active (running)’.

Step 5: Configure SSH for 2FA

This is the most important step for security. We’ll use Google Authenticator.

1. Install Google Authenticator PAM module:

   sudo apt install libpam-google-authenticator -y

   .

2. Run:

   google-authenticator

   . This will ask you several questions. Answer them carefully, and save the secret key (QR code or text). You’ll need this to set up Google Authenticator on your phone.

3. Edit the SSH configuration file:

   sudo nano /etc/pam.d/sshd

   . Add this line at the top of the file:

   auth required pam_google_authenticator.so nullok

4. Edit /etc/ssh/sshd_config:

   sudo nano /etc/ssh/sshd_config

   . Change these lines (remove the ‘#’ to uncomment):

   • ChallengeResponseAuthentication yes
   • UsePAM yes
5. Restart SSH service:

   sudo systemctl restart sshd

   .

Step 6: Connect with SSH and 2FA

Now, test the connection.

1. Disconnect from the VM (type exit).
2. Connect using SSH again:

   vagrant ssh

   . You will now be prompted for a verification code from your Google Authenticator app. Enter it after your password.

Step 7: Secure the ‘vagrant’ user (Important!)

The default ‘vagrant’ user is insecure. Change its password and consider disabling password login.

1. Change the vagrant user’s password:

   sudo passwd vagrant

   .

2. Edit /etc/ssh/sshd_config again. Set PasswordAuthentication no and PermitRootLogin no.
3. Restart SSH service:

   sudo systemctl restart sshd

   . You will now need to use SSH keys for login (beyond the 2FA).

Step 8: Install Bitcoin Wallet Software

Install your preferred bitcoin wallet software inside the VM. Follow the official installation instructions for that software.