Fail2ban: Difference between revisions

From Proxmox VE
Jump to navigation Jump to search
No edit summary
(add journalmatch option (as recommended by fail2ban), adapt links, fix 2 minor typos)
 
(6 intermediate revisions by 3 users not shown)
Line 1: Line 1:
== Protecting the web interface with fail2ban ==
Here we describe in short how you can set up <code>fail2ban</code> for the Proxmox VE API to block IP addresses (temporarily) if there were too many wrong login tries submitted through them.


<pre>apt-get install fail2ban</pre>
== Install fail2ban ==


Create, if does not exist, the file jail.local
Execute the following commands as root in a shell on the Proxmox VE host, for example connected through SSH or via the web console in the Proxmox VE web interface.
(settings in this file takes precedence over identical settings of jail.conf. Use jail.conf as a template, copying and enabling into jail.local what you are interested in.
Note that jail.conf could be overwritten by fail2ban package updates, jail.local will not)


The following configuration works, unchanged, for Proxmox 3.x and 4.x (last test with 4.3)
apt update
apt install fail2ban


Add the following string to the end of this file /etc/fail2ban/jail.local :
== Setup Base Config ==
 
We recommend you to use the <code>/etc/fail2ban/jail.local</code> file, as settings in this file takes precedence over identical settings of <code>jail.conf</code>.
 
Use <code>jail.conf</code> as a template:
 
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
 
And change or delete things to your liking in the copied over <code>jail.local</code>.
 
The main reason for using this separate file is that the original <code>jail.conf</code> could be overwritten by fail2ban package updates, while the copied <code>jail.local</code> will not, so you can better manage updates that way.
 
== Setup Jail Using systemd Backend ==
 
For Proxmox VE systems since 4.0 systemd-journald is enabled by default and since the Proxmox VE 7.0 release, the log is also persisting reboots – meaning that attacks can by defaults also found if the started before a reboot.
For older systems [[Category:Upgrade|please upgrade]] (as those releases are end-of-life) or see the legacy rsyslog option below.
 
=== Base Config ===
Add the following to the end of the copied over file <code>/etc/fail2ban/jail.local</code>:


<pre>
<pre>
Line 16: Line 33:
port = https,http,8006
port = https,http,8006
filter = proxmox
filter = proxmox
logpath = /var/log/daemon.log
backend = systemd
maxretry = 3
maxretry = 3
# 1 hour
findtime = 2d
bantime = 3600
bantime = 1h
</pre>
</pre>


Create the file /etc/fail2ban/filter.d/proxmox.conf :
Tip: Time properties like <code>bantime</code> and <code>findtime</code> also allows one to use combinations like <code>2m 30s</code>, you can test if it's valid and what the actually resulting ban seconds are using the <code>fail2ban-client --str2sec '1d 12h'</code> command.
See the <code>jail.conf</code> manual page<ref><code>jail.conf</code> manual page https://manpages.debian.org/stable/fail2ban/jail.conf.5.en.html</ref> for description of all options.
 
=== Filter Config ===
Create the file <code>/etc/fail2ban/filter.d/proxmox.conf</code> with the following content:


<pre>
<pre>
Line 28: Line 49:
failregex = pvedaemon\[.*authentication failure; rhost=<HOST> user=.* msg=.*
failregex = pvedaemon\[.*authentication failure; rhost=<HOST> user=.* msg=.*
ignoreregex =
ignoreregex =
journalmatch = _SYSTEMD_UNIT=pvedaemon.service
</pre>
</pre>


You can test your configuration trying to GUI login with a wrong password or user, and then issue the command :
=== Restart Service to Enable Config ===
Use:
systemctl restart fail2ban
to activate the config addition and arm fail2ban for the Proxmox VE API.
 
== Test fail2ban Config ==
You can test your configuration by trying to log in through the web interface with a wrong password or a wrong user, and then issue the command:


<pre>
<pre>
fail2ban-regex /var/log/daemon.log /etc/fail2ban/filter.d/proxmox.conf
fail2ban-regex systemd-journal /etc/fail2ban/filter.d/proxmox.conf
</pre>
</pre>


You should have *at least* a "Failregex: 1 total" at the top of the "Results" section (and "1 matched" at the bottom)
You should have *at least* a "Failregex: 1 total" at the top of the "Results" section (and "1 matched" at the bottom)


Restart fail2ban:
Note, if you tried too often and got yourself banned (your IP is reported by <code>fail2ban-client get proxmox banned</code>) you can use <code>fail2ban-client unban IP</code> (replace IP with yours) to manually unblock yourself.
 
== Legacy Option: Using rsyslog Backend ==
The following configuration uses the <code>rsyslog</code> backend and works as is by default for Proxmox VE 3 up to Proxmox VE 7.
 
Note, if you installed from Proxmox VE 8 or newer the <code>rsyslog</code> package won't be installed by default, so you either need to install the rsyslog package or use the recommended systemd variant above.
 
Add the following string to the end of this file <code>/etc/fail2ban/jail.local</code>:


<pre>
<pre>
systemctl restart fail2ban
[proxmox]
enabled = true
port = https,http,8006
filter = proxmox
logpath = /var/log/daemon.log
maxretry = 3
bantime = 1h
</pre>
</pre>
Then continue to follow above guide by create the filter file <code>/etc/fail2ban/filter.d/proxmox.conf</code> like described above in [[#Filter Config]] and restart fail2ban.


== Links ==
== Links ==
* [http://www.fail2ban.org/wiki/index.php/Main_Page  Fail2Ban ]
* [http://www.fail2ban.org/wiki/index.php/Main_Page  Fail2Ban ]
* [http://extremeshok.com/blog/?page_id=810 Proxmox VE 2.1 - Harden Network]
* [http://forum.proxmox.com/threads/3583-How-To-implement-Fail2Ban-on-Host Forum Post]
* [http://forum.proxmox.com/threads/16156-Fail2ban-for-Proxmox-3-1 Forum Post for 3.1]
* [http://forum.proxmox.com/threads/16156-Fail2ban-for-Proxmox-3-1 Forum Post for 3.1]


[[Category: HOWTO]]
[[Category: HOWTO]]

Latest revision as of 16:28, 27 May 2024

Here we describe in short how you can set up fail2ban for the Proxmox VE API to block IP addresses (temporarily) if there were too many wrong login tries submitted through them.

Install fail2ban

Execute the following commands as root in a shell on the Proxmox VE host, for example connected through SSH or via the web console in the Proxmox VE web interface.

apt update
apt install fail2ban

Setup Base Config

We recommend you to use the /etc/fail2ban/jail.local file, as settings in this file takes precedence over identical settings of jail.conf.

Use jail.conf as a template:

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

And change or delete things to your liking in the copied over jail.local.

The main reason for using this separate file is that the original jail.conf could be overwritten by fail2ban package updates, while the copied jail.local will not, so you can better manage updates that way.

Setup Jail Using systemd Backend

For Proxmox VE systems since 4.0 systemd-journald is enabled by default and since the Proxmox VE 7.0 release, the log is also persisting reboots – meaning that attacks can by defaults also found if the started before a reboot. For older systems (as those releases are end-of-life) or see the legacy rsyslog option below.

Base Config

Add the following to the end of the copied over file /etc/fail2ban/jail.local:

[proxmox]
enabled = true
port = https,http,8006
filter = proxmox
backend = systemd
maxretry = 3
findtime = 2d
bantime = 1h

Tip: Time properties like bantime and findtime also allows one to use combinations like 2m 30s, you can test if it's valid and what the actually resulting ban seconds are using the fail2ban-client --str2sec '1d 12h' command. See the jail.conf manual page[1] for description of all options.

Filter Config

Create the file /etc/fail2ban/filter.d/proxmox.conf with the following content:

[Definition]
failregex = pvedaemon\[.*authentication failure; rhost=<HOST> user=.* msg=.*
ignoreregex =
journalmatch = _SYSTEMD_UNIT=pvedaemon.service

Restart Service to Enable Config

Use:

systemctl restart fail2ban

to activate the config addition and arm fail2ban for the Proxmox VE API.

Test fail2ban Config

You can test your configuration by trying to log in through the web interface with a wrong password or a wrong user, and then issue the command:

fail2ban-regex systemd-journal /etc/fail2ban/filter.d/proxmox.conf

You should have *at least* a "Failregex: 1 total" at the top of the "Results" section (and "1 matched" at the bottom)

Note, if you tried too often and got yourself banned (your IP is reported by fail2ban-client get proxmox banned) you can use fail2ban-client unban IP (replace IP with yours) to manually unblock yourself.

Legacy Option: Using rsyslog Backend

The following configuration uses the rsyslog backend and works as is by default for Proxmox VE 3 up to Proxmox VE 7.

Note, if you installed from Proxmox VE 8 or newer the rsyslog package won't be installed by default, so you either need to install the rsyslog package or use the recommended systemd variant above.

Add the following string to the end of this file /etc/fail2ban/jail.local:

[proxmox]
enabled = true
port = https,http,8006
filter = proxmox
logpath = /var/log/daemon.log
maxretry = 3
bantime = 1h

Then continue to follow above guide by create the filter file /etc/fail2ban/filter.d/proxmox.conf like described above in #Filter Config and restart fail2ban.

Links