Proxmox: Potect your server with fail2ban
In thist post I will show you how you can protect your Proxmox server from broutforce http and ssh login atacks with fail2ban.
Out of the box Proxmox does not have any Brute Force protection si I decided to configure fail2ban to protect my home server.
On proxmox fail2ban is really easy to install:
apt-get install fail2ban
Now we have to create a configfile for the filter. For this we create the file /etc/fail2ban/filter.d/proxmox.conf
and add the following content:
nano /etc/fail2ban/filter.d/proxmox.conf
[definition]
failregex = pvedaemon\[.*authentication failure; rhost=<HOST> user=.* msg=.*
ignoreregex =.
Protecting the web interface
Add the following string to the end of this file /etc/fail2ban/jail.local
:
[proxmox]
enabled = true
port = https,http,8006
filter = proxmox
logpath = /var/log/daemon.log
maxretry = 3
# 1 hour
bantime = 3600
Protecting ssh
Add the following string to the end of this file /etc/fail2ban/jail.local
:
[sshd]
port = ssh
logpath = %(sshd_log)s
enabled = true
You can test your configuration trying to GUI login with a wrong password or user, and then issue the command:
fail2ban-regex /var/log/daemon.log /etc/fail2ban/filter.d/proxmox.conf
Once done we need to restart fail2ban
systemctl restart fail2ban
tail -f /var/log/fail2ban.log
2023-01-08 17:45:32,928 fail2ban.jail [49691]: INFO Jail 'sshd' started
2023-01-08 17:45:32,928 fail2ban.jail [49691]: INFO Jail 'proxmox' started
Test
If you want to test the configuration once, you can do it easily via the following command.
fail2ban-regex /var/log/daemon.log /etc/fail2ban/filter.d/proxmox.conf
Running tests
=============
Use failregex filter file : proxmox, basedir: /etc/fail2ban
Use log file : /var/log/daemon.log
Use encoding : UTF-8
Results
=======
Failregex: 0 total
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [370] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
`-
Lines: 370 lines, 0 ignored, 0 matched, 370 missed
[processed in 0.01 sec]
Missed line(s): too many to print. Use --print-all-missed to print all 370 lines
If you want to see if your ban is working take a look at:
fail2ban-client status sshd
#or
fail2ban-client status proxmox