Fail2ban: Difference between revisions

From Proxmox VE
Jump to navigation Jump to search
No edit summary
(add journalmatch option (as recommended by fail2ban), adapt links, fix 2 minor typos)
 
(14 intermediate revisions by 8 users not shown)
Line 1: Line 1:
Note: article taken straight from [http://forum.proxmox.com/threads/16156-Fail2ban-for-Proxmox-3-1 this forum post]
Here we describe in short how you can set up <code>fail2ban</code> for the Proxmox VE API to block IP addresses (temporarily) if there were too many wrong login tries submitted through them.


==Protecting the web interface with fail2ban==
== Install fail2ban ==


<pre>aptitude install fail2ban</pre>
Execute the following commands as root in a shell on the Proxmox VE host, for example connected through SSH or via the web console in the Proxmox VE web interface.


Copy the file /etc/fail2ban/jail.conf to a new file jail.local
apt update
apt install fail2ban


<pre>cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local</pre>
== Setup Base Config ==


Add the following string to the end of this file /etc/fail2ban/jail.local :
We recommend you to use the <code>/etc/fail2ban/jail.local</code> file, as settings in this file takes precedence over identical settings of <code>jail.conf</code>.
 
Use <code>jail.conf</code> as a template:
 
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
 
And change or delete things to your liking in the copied over <code>jail.local</code>.
 
The main reason for using this separate file is that the original <code>jail.conf</code> could be overwritten by fail2ban package updates, while the copied <code>jail.local</code> will not, so you can better manage updates that way.
 
== Setup Jail Using systemd Backend ==
 
For Proxmox VE systems since 4.0 systemd-journald is enabled by default and since the Proxmox VE 7.0 release, the log is also persisting reboots – meaning that attacks can by defaults also found if the started before a reboot.
For older systems [[Category:Upgrade|please upgrade]] (as those releases are end-of-life) or see the legacy rsyslog option below.
 
=== Base Config ===
Add the following to the end of the copied over file <code>/etc/fail2ban/jail.local</code>:


<pre>
<pre>
[proxmox3]
[proxmox]
enabled = true
enabled = true
port = https,http,8006
port = https,http,8006
filter = proxmox3
filter = proxmox
logpath = /var/log/daemon.log
backend = systemd
maxretry = 3
maxretry = 3
bantime = 3600 # 1 hour
findtime = 2d
bantime = 1h
</pre>
</pre>


Create the file /etc/fail2ban/filter.d/proxmox3.conf :
Tip: Time properties like <code>bantime</code> and <code>findtime</code> also allows one to use combinations like <code>2m 30s</code>, you can test if it's valid and what the actually resulting ban seconds are using the <code>fail2ban-client --str2sec '1d 12h'</code> command.
See the <code>jail.conf</code> manual page<ref><code>jail.conf</code> manual page https://manpages.debian.org/stable/fail2ban/jail.conf.5.en.html</ref> for description of all options.
 
=== Filter Config ===
Create the file <code>/etc/fail2ban/filter.d/proxmox.conf</code> with the following content:


<pre>
<pre>
Line 27: Line 49:
failregex = pvedaemon\[.*authentication failure; rhost=<HOST> user=.* msg=.*
failregex = pvedaemon\[.*authentication failure; rhost=<HOST> user=.* msg=.*
ignoreregex =
ignoreregex =
journalmatch = _SYSTEMD_UNIT=pvedaemon.service
</pre>
</pre>


You can test your configuration with the command :
=== Restart Service to Enable Config ===
Use:
systemctl restart fail2ban
to activate the config addition and arm fail2ban for the Proxmox VE API.
 
== Test fail2ban Config ==
You can test your configuration by trying to log in through the web interface with a wrong password or a wrong user, and then issue the command:


<pre>
<pre>
fail2ban-regex /var/log/daemon.log /etc/fail2ban/filter.d/proxmox3.conf
fail2ban-regex systemd-journal /etc/fail2ban/filter.d/proxmox.conf
</pre>
</pre>


Restart fail2ban:
You should have *at least* a "Failregex: 1 total" at the top of the "Results" section (and "1 matched" at the bottom)
 
Note, if you tried too often and got yourself banned (your IP is reported by <code>fail2ban-client get proxmox banned</code>) you can use <code>fail2ban-client unban IP</code> (replace IP with yours) to manually unblock yourself.
 
== Legacy Option: Using rsyslog Backend ==
The following configuration uses the <code>rsyslog</code> backend and works as is by default for Proxmox VE 3 up to Proxmox VE 7.
 
Note, if you installed from Proxmox VE 8 or newer the <code>rsyslog</code> package won't be installed by default, so you either need to install the rsyslog package or use the recommended systemd variant above.
 
Add the following string to the end of this file <code>/etc/fail2ban/jail.local</code>:


<pre>
<pre>
/etc/init.d/fail2ban restart
[proxmox]
enabled = true
port = https,http,8006
filter = proxmox
logpath = /var/log/daemon.log
maxretry = 3
bantime = 1h
</pre>
</pre>


=Links=
Then continue to follow above guide by create the filter file <code>/etc/fail2ban/filter.d/proxmox.conf</code> like described above in [[#Filter Config]] and restart fail2ban.
* [http://extremeshok.com/blog/?page_id=810 Proxmox VE 2.1 - Harden Network]
 
* [http://forum.proxmox.com/threads/3583-How-To-implement-Fail2Ban-on-Host Forum Post]
== Links ==
* [http://www.fail2ban.org/wiki/index.php/Main_Page  Fail2Ban ]
* [http://forum.proxmox.com/threads/16156-Fail2ban-for-Proxmox-3-1 Forum Post for 3.1]
* [http://forum.proxmox.com/threads/16156-Fail2ban-for-Proxmox-3-1 Forum Post for 3.1]


[[Category: HOWTO]]
[[Category: HOWTO]]

Latest revision as of 16:28, 27 May 2024

Here we describe in short how you can set up fail2ban for the Proxmox VE API to block IP addresses (temporarily) if there were too many wrong login tries submitted through them.

Install fail2ban

Execute the following commands as root in a shell on the Proxmox VE host, for example connected through SSH or via the web console in the Proxmox VE web interface.

apt update
apt install fail2ban

Setup Base Config

We recommend you to use the /etc/fail2ban/jail.local file, as settings in this file takes precedence over identical settings of jail.conf.

Use jail.conf as a template:

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

And change or delete things to your liking in the copied over jail.local.

The main reason for using this separate file is that the original jail.conf could be overwritten by fail2ban package updates, while the copied jail.local will not, so you can better manage updates that way.

Setup Jail Using systemd Backend

For Proxmox VE systems since 4.0 systemd-journald is enabled by default and since the Proxmox VE 7.0 release, the log is also persisting reboots – meaning that attacks can by defaults also found if the started before a reboot. For older systems (as those releases are end-of-life) or see the legacy rsyslog option below.

Base Config

Add the following to the end of the copied over file /etc/fail2ban/jail.local:

[proxmox]
enabled = true
port = https,http,8006
filter = proxmox
backend = systemd
maxretry = 3
findtime = 2d
bantime = 1h

Tip: Time properties like bantime and findtime also allows one to use combinations like 2m 30s, you can test if it's valid and what the actually resulting ban seconds are using the fail2ban-client --str2sec '1d 12h' command. See the jail.conf manual page[1] for description of all options.

Filter Config

Create the file /etc/fail2ban/filter.d/proxmox.conf with the following content:

[Definition]
failregex = pvedaemon\[.*authentication failure; rhost=<HOST> user=.* msg=.*
ignoreregex =
journalmatch = _SYSTEMD_UNIT=pvedaemon.service

Restart Service to Enable Config

Use:

systemctl restart fail2ban

to activate the config addition and arm fail2ban for the Proxmox VE API.

Test fail2ban Config

You can test your configuration by trying to log in through the web interface with a wrong password or a wrong user, and then issue the command:

fail2ban-regex systemd-journal /etc/fail2ban/filter.d/proxmox.conf

You should have *at least* a "Failregex: 1 total" at the top of the "Results" section (and "1 matched" at the bottom)

Note, if you tried too often and got yourself banned (your IP is reported by fail2ban-client get proxmox banned) you can use fail2ban-client unban IP (replace IP with yours) to manually unblock yourself.

Legacy Option: Using rsyslog Backend

The following configuration uses the rsyslog backend and works as is by default for Proxmox VE 3 up to Proxmox VE 7.

Note, if you installed from Proxmox VE 8 or newer the rsyslog package won't be installed by default, so you either need to install the rsyslog package or use the recommended systemd variant above.

Add the following string to the end of this file /etc/fail2ban/jail.local:

[proxmox]
enabled = true
port = https,http,8006
filter = proxmox
logpath = /var/log/daemon.log
maxretry = 3
bantime = 1h

Then continue to follow above guide by create the filter file /etc/fail2ban/filter.d/proxmox.conf like described above in #Filter Config and restart fail2ban.

Links