Fail2ban
Here we describe in short how you can set up fail2ban for the Proxmox VE API to block IP addresses (temporarily) if there were to many wrong login tries submitted through them.
Install fail2ban
Execute the following commands as root in a shell on the Proxmox VE host, for example connected through SSH or via the web console in the Proxmox VE web interface.
apt update apt install fail2ban
Setup Base Config
We recommend you to use the /etc/fail2ban/jail.local file, as settings in this file takes precedence over identical settings of jail.conf.
Use jail.conf as a template:
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
And change or delete things to your liking in the copied over jail.local.
The main reason for using this separate file is that the original jail.conf could be overwritten by fail2ban package updates, while the copied jail.local will not, so you can better manage updates that way.
Setup Jail Using systemd Backend
For Proxmox VE systems since 4.0 systemd-journald is enabled by default and since the Proxmox VE 7.0 release, the log is also persisting reboots – meaning that attacks can by defaults also found if the started before a reboot. For older systems (as those releases are end-of-life) or see the legacy rsyslog option below.
Base Config
Add the following to the end of the copied over file /etc/fail2ban/jail.local:
[proxmox] enabled = true port = https,http,8006 filter = proxmox backend = systemd maxretry = 3 findtime = 2d bantime = 1h
Tip: Time properties like bantime and findtime also allows one to use combinations like 2m 30s, you can test if it's valid and what the actually resulting ban seconds are using the fail2ban-client --str2sec '1d 12h' command.
See the jail.conf manual page[1] for description of all options.
Filter Config
Create the file /etc/fail2ban/filter.d/proxmox.conf with the following content:
[Definition] failregex = pvedaemon\[.*authentication failure; rhost=<HOST> user=.* msg=.* ignoreregex =
Restart Service to Enable Config
Use:
systemctl restart fail2ban
to activate the config addition and arm fail2ban for the Proxmox VE API.
Test fail2ban Config
You can test your configuration by trying to log in through the web interface with a wrong password or a wrong user, and then issue the command:
fail2ban-regex /var/log/daemon.log /etc/fail2ban/filter.d/proxmox.conf
You should have *at least* a "Failregex: 1 total" at the top of the "Results" section (and "1 matched" at the bottom)
Note, if you tried to often and got yourself banned (your IP is reported by fail2ban-client get proxmox banned) you can use fail2ban-client unban IP (replace IP with yours) to manually unblock yourself.
Legacy Option: Using rsyslog Backend
The following configuration uses the rsyslog backend and works as is by default for Proxmox VE 3 up to Proxmox VE 7.
Note, if you installed from Proxmox VE 8 or newer the rsyslog package won't be installed by default, so you either need to install the rsyslog package or use the recommended systemd variant above.
Add the following string to the end of this file /etc/fail2ban/jail.local:
[proxmox] enabled = true port = https,http,8006 filter = proxmox logpath = /var/log/daemon.log maxretry = 3 bantime = 1h
Then continue to follow above guide by create the filter file /etc/fail2ban/filter.d/proxmox.conf like described above in #Filter Config and restart fail2ban.
Links
- ↑
jail.confmanual page https://manpages.debian.org/bookworm/fail2ban/jail.conf.5.en.html