Difference between revisions of "Fail2ban"

From Proxmox VE
Jump to navigation Jump to search
 
(8 intermediate revisions by 6 users not shown)
Line 1: Line 1:
Note: article taken straight from [http://forum.proxmox.com/threads/16156-Fail2ban-for-Proxmox-3-1 this forum post]
+
== Protecting the web interface with fail2ban ==
  
==Protecting the web interface with fail2ban==
+
<pre>apt install fail2ban</pre>
  
<pre>aptitude install fail2ban</pre>
+
Create, if does not exist, the file jail.local
 +
(settings in this file takes precedence over identical settings of jail.conf. Use jail.conf as a template, copying and enabling into jail.local what you are interested in.
 +
Note that jail.conf could be overwritten by fail2ban package updates, jail.local will not)
  
Create, if does not exist, the file jail.local
+
The following configuration works, unchanged, for Proxmox VE > 3.x (last test with 7.1)
(settings in this file takes precedence over identical settings of jail.conf)
 
  
 
Add the following string to the end of this file /etc/fail2ban/jail.local :
 
Add the following string to the end of this file /etc/fail2ban/jail.local :
  
 
<pre>
 
<pre>
[proxmox3]
+
[proxmox]
 
enabled = true
 
enabled = true
 
port = https,http,8006
 
port = https,http,8006
filter = proxmox3
+
filter = proxmox
 
logpath = /var/log/daemon.log
 
logpath = /var/log/daemon.log
 
maxretry = 3
 
maxretry = 3
bantime = 3600 # 1 hour
+
# 1 hour
 +
bantime = 3600
 
</pre>
 
</pre>
  
Create the file /etc/fail2ban/filter.d/proxmox3.conf :
+
Create the file /etc/fail2ban/filter.d/proxmox.conf :
  
 
<pre>
 
<pre>
Line 28: Line 30:
 
</pre>
 
</pre>
  
You can test your configuration with the command :
+
You can test your configuration trying to GUI login with a wrong password or user, and then issue the command :
  
 
<pre>
 
<pre>
fail2ban-regex /var/log/daemon.log /etc/fail2ban/filter.d/proxmox3.conf
+
fail2ban-regex /var/log/daemon.log /etc/fail2ban/filter.d/proxmox.conf
 
</pre>
 
</pre>
 +
 +
You should have *at least* a "Failregex: 1 total" at the top of the "Results" section (and "1 matched" at the bottom)
  
 
Restart fail2ban:
 
Restart fail2ban:
  
 
<pre>
 
<pre>
/etc/init.d/fail2ban restart
+
systemctl restart fail2ban
 
</pre>
 
</pre>
  
=Links=
+
== Links ==
 +
* [http://www.fail2ban.org/wiki/index.php/Main_Page  Fail2Ban ]
 
* [http://extremeshok.com/blog/?page_id=810 Proxmox VE 2.1 - Harden Network]
 
* [http://extremeshok.com/blog/?page_id=810 Proxmox VE 2.1 - Harden Network]
 
* [http://forum.proxmox.com/threads/3583-How-To-implement-Fail2Ban-on-Host Forum Post]
 
* [http://forum.proxmox.com/threads/3583-How-To-implement-Fail2Ban-on-Host Forum Post]

Latest revision as of 13:27, 31 March 2022

Protecting the web interface with fail2ban

apt install fail2ban

Create, if does not exist, the file jail.local (settings in this file takes precedence over identical settings of jail.conf. Use jail.conf as a template, copying and enabling into jail.local what you are interested in. Note that jail.conf could be overwritten by fail2ban package updates, jail.local will not)

The following configuration works, unchanged, for Proxmox VE > 3.x (last test with 7.1)

Add the following string to the end of this file /etc/fail2ban/jail.local :

[proxmox]
enabled = true
port = https,http,8006
filter = proxmox
logpath = /var/log/daemon.log
maxretry = 3
# 1 hour
bantime = 3600

Create the file /etc/fail2ban/filter.d/proxmox.conf :

[Definition]
failregex = pvedaemon\[.*authentication failure; rhost=<HOST> user=.* msg=.*
ignoreregex =

You can test your configuration trying to GUI login with a wrong password or user, and then issue the command :

fail2ban-regex /var/log/daemon.log /etc/fail2ban/filter.d/proxmox.conf

You should have *at least* a "Failregex: 1 total" at the top of the "Results" section (and "1 matched" at the bottom)

Restart fail2ban:

systemctl restart fail2ban

Links