Fail2ban: Difference between revisions
No edit summary |
(add journalmatch option (as recommended by fail2ban), adapt links, fix 2 minor typos) |
||
(8 intermediate revisions by 5 users not shown) | |||
Line 1: | Line 1: | ||
Here we describe in short how you can set up <code>fail2ban</code> for the Proxmox VE API to block IP addresses (temporarily) if there were too many wrong login tries submitted through them. | |||
== Install fail2ban == | |||
Execute the following commands as root in a shell on the Proxmox VE host, for example connected through SSH or via the web console in the Proxmox VE web interface. | |||
apt update | |||
apt install fail2ban | |||
Add the following | == Setup Base Config == | ||
We recommend you to use the <code>/etc/fail2ban/jail.local</code> file, as settings in this file takes precedence over identical settings of <code>jail.conf</code>. | |||
Use <code>jail.conf</code> as a template: | |||
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local | |||
And change or delete things to your liking in the copied over <code>jail.local</code>. | |||
The main reason for using this separate file is that the original <code>jail.conf</code> could be overwritten by fail2ban package updates, while the copied <code>jail.local</code> will not, so you can better manage updates that way. | |||
== Setup Jail Using systemd Backend == | |||
For Proxmox VE systems since 4.0 systemd-journald is enabled by default and since the Proxmox VE 7.0 release, the log is also persisting reboots – meaning that attacks can by defaults also found if the started before a reboot. | |||
For older systems [[Category:Upgrade|please upgrade]] (as those releases are end-of-life) or see the legacy rsyslog option below. | |||
=== Base Config === | |||
Add the following to the end of the copied over file <code>/etc/fail2ban/jail.local</code>: | |||
<pre> | <pre> | ||
Line 16: | Line 33: | ||
port = https,http,8006 | port = https,http,8006 | ||
filter = proxmox | filter = proxmox | ||
backend = systemd | |||
maxretry = 3 | maxretry = 3 | ||
findtime = 2d | |||
bantime = | bantime = 1h | ||
</pre> | </pre> | ||
Create the file /etc/fail2ban/filter.d/proxmox.conf : | Tip: Time properties like <code>bantime</code> and <code>findtime</code> also allows one to use combinations like <code>2m 30s</code>, you can test if it's valid and what the actually resulting ban seconds are using the <code>fail2ban-client --str2sec '1d 12h'</code> command. | ||
See the <code>jail.conf</code> manual page<ref><code>jail.conf</code> manual page https://manpages.debian.org/stable/fail2ban/jail.conf.5.en.html</ref> for description of all options. | |||
=== Filter Config === | |||
Create the file <code>/etc/fail2ban/filter.d/proxmox.conf</code> with the following content: | |||
<pre> | <pre> | ||
Line 28: | Line 49: | ||
failregex = pvedaemon\[.*authentication failure; rhost=<HOST> user=.* msg=.* | failregex = pvedaemon\[.*authentication failure; rhost=<HOST> user=.* msg=.* | ||
ignoreregex = | ignoreregex = | ||
journalmatch = _SYSTEMD_UNIT=pvedaemon.service | |||
</pre> | </pre> | ||
You can test your configuration trying to | === Restart Service to Enable Config === | ||
Use: | |||
systemctl restart fail2ban | |||
to activate the config addition and arm fail2ban for the Proxmox VE API. | |||
== Test fail2ban Config == | |||
You can test your configuration by trying to log in through the web interface with a wrong password or a wrong user, and then issue the command: | |||
<pre> | <pre> | ||
fail2ban-regex | fail2ban-regex systemd-journal /etc/fail2ban/filter.d/proxmox.conf | ||
</pre> | </pre> | ||
You should have *at least* a "Failregex: 1 total" at the top of the "Results" section (and "1 matched" at the bottom) | You should have *at least* a "Failregex: 1 total" at the top of the "Results" section (and "1 matched" at the bottom) | ||
Note, if you tried too often and got yourself banned (your IP is reported by <code>fail2ban-client get proxmox banned</code>) you can use <code>fail2ban-client unban IP</code> (replace IP with yours) to manually unblock yourself. | |||
== Legacy Option: Using rsyslog Backend == | |||
The following configuration uses the <code>rsyslog</code> backend and works as is by default for Proxmox VE 3 up to Proxmox VE 7. | |||
Note, if you installed from Proxmox VE 8 or newer the <code>rsyslog</code> package won't be installed by default, so you either need to install the rsyslog package or use the recommended systemd variant above. | |||
Add the following string to the end of this file <code>/etc/fail2ban/jail.local</code>: | |||
<pre> | <pre> | ||
[proxmox] | |||
enabled = true | |||
port = https,http,8006 | |||
filter = proxmox | |||
logpath = /var/log/daemon.log | |||
maxretry = 3 | |||
bantime = 1h | |||
</pre> | </pre> | ||
Then continue to follow above guide by create the filter file <code>/etc/fail2ban/filter.d/proxmox.conf</code> like described above in [[#Filter Config]] and restart fail2ban. | |||
== Links == | == Links == | ||
* [http://www.fail2ban.org/wiki/index.php/Main_Page | * [http://www.fail2ban.org/wiki/index.php/Main_Page Fail2Ban ] | ||
* [http://forum.proxmox.com/threads/16156-Fail2ban-for-Proxmox-3-1 Forum Post for 3.1] | * [http://forum.proxmox.com/threads/16156-Fail2ban-for-Proxmox-3-1 Forum Post for 3.1] | ||
[[Category: HOWTO | [[Category: HOWTO]] |
Latest revision as of 16:28, 27 May 2024
Here we describe in short how you can set up fail2ban
for the Proxmox VE API to block IP addresses (temporarily) if there were too many wrong login tries submitted through them.
Install fail2ban
Execute the following commands as root in a shell on the Proxmox VE host, for example connected through SSH or via the web console in the Proxmox VE web interface.
apt update apt install fail2ban
Setup Base Config
We recommend you to use the /etc/fail2ban/jail.local
file, as settings in this file takes precedence over identical settings of jail.conf
.
Use jail.conf
as a template:
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
And change or delete things to your liking in the copied over jail.local
.
The main reason for using this separate file is that the original jail.conf
could be overwritten by fail2ban package updates, while the copied jail.local
will not, so you can better manage updates that way.
Setup Jail Using systemd Backend
For Proxmox VE systems since 4.0 systemd-journald is enabled by default and since the Proxmox VE 7.0 release, the log is also persisting reboots – meaning that attacks can by defaults also found if the started before a reboot. For older systems (as those releases are end-of-life) or see the legacy rsyslog option below.
Base Config
Add the following to the end of the copied over file /etc/fail2ban/jail.local
:
[proxmox] enabled = true port = https,http,8006 filter = proxmox backend = systemd maxretry = 3 findtime = 2d bantime = 1h
Tip: Time properties like bantime
and findtime
also allows one to use combinations like 2m 30s
, you can test if it's valid and what the actually resulting ban seconds are using the fail2ban-client --str2sec '1d 12h'
command.
See the jail.conf
manual page[1] for description of all options.
Filter Config
Create the file /etc/fail2ban/filter.d/proxmox.conf
with the following content:
[Definition] failregex = pvedaemon\[.*authentication failure; rhost=<HOST> user=.* msg=.* ignoreregex = journalmatch = _SYSTEMD_UNIT=pvedaemon.service
Restart Service to Enable Config
Use:
systemctl restart fail2ban
to activate the config addition and arm fail2ban for the Proxmox VE API.
Test fail2ban Config
You can test your configuration by trying to log in through the web interface with a wrong password or a wrong user, and then issue the command:
fail2ban-regex systemd-journal /etc/fail2ban/filter.d/proxmox.conf
You should have *at least* a "Failregex: 1 total" at the top of the "Results" section (and "1 matched" at the bottom)
Note, if you tried too often and got yourself banned (your IP is reported by fail2ban-client get proxmox banned
) you can use fail2ban-client unban IP
(replace IP with yours) to manually unblock yourself.
Legacy Option: Using rsyslog Backend
The following configuration uses the rsyslog
backend and works as is by default for Proxmox VE 3 up to Proxmox VE 7.
Note, if you installed from Proxmox VE 8 or newer the rsyslog
package won't be installed by default, so you either need to install the rsyslog package or use the recommended systemd variant above.
Add the following string to the end of this file /etc/fail2ban/jail.local
:
[proxmox] enabled = true port = https,http,8006 filter = proxmox logpath = /var/log/daemon.log maxretry = 3 bantime = 1h
Then continue to follow above guide by create the filter file /etc/fail2ban/filter.d/proxmox.conf
like described above in #Filter Config and restart fail2ban.
Links
- ↑
jail.conf
manual page https://manpages.debian.org/stable/fail2ban/jail.conf.5.en.html