Fail2ban

From Proxmox VE
Jump to navigation Jump to search

Here we describe in short how you can set up fail2ban for the Proxmox VE API to block IP addresses (temporarily) if there were to many wrong login tries submitted through them.

Install fail2ban

apt update
apt install fail2ban

Setup Base Config

We recommend you to use the /etc/fail2ban/jail.local file, as settings in this file takes precedence over identical settings of jail.conf.

Use jail.conf as a template:

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

And change or delete things to your liking in the copied over jail.local.

The main reason for using this separate file is that the original jail.conf could be overwritten by fail2ban package updates, while the copied jail.local will not, so you can better manage updates that way.

Setup Jail Using systemd Backend

For Proxmox VE systems since 4.0 systemd-journald is enabled by default and since the Proxmox VE 7.0 release, the log is also persisting reboots – meaning that attacks can by defaults also found if the started before a reboot. For older systems (as those releases are end-of-life) or see the legacy rsyslog option below.

Base Config

Add the following to the end of the copied over file /etc/fail2ban/jail.local:

[proxmox]
enabled = true
port = https,http,8006
filter = proxmox
backend = systemd
maxretry = 3
findtime = 2d
bantime = 1h

Tip: Time properties like bantime and findtime also allows one to use combinations like 2m 30s, you can test if it's valid and what the actually resulting ban seconds are using the fail2ban-client --str2sec '1d 12h' command.

Filter Config

Create the file /etc/fail2ban/filter.d/proxmox.conf with the following content:

[Definition]
failregex = pvedaemon\[.*authentication failure; rhost=<HOST> user=.* msg=.*
ignoreregex =

Restart Service to Enable Config

Use:

systemctl restart fail2ban

to activate the config addition and arm fail2ban for the Proxmox VE API.

Test fail2ban Config

You can test your configuration by trying to log in through the web interface with a wrong password or a wrong user, and then issue the command:

fail2ban-regex /var/log/daemon.log /etc/fail2ban/filter.d/proxmox.conf

You should have *at least* a "Failregex: 1 total" at the top of the "Results" section (and "1 matched" at the bottom)

Note, if you tried to often and got yourself banned (your IP is reported by fail2ban-client get proxmox banned) you can use fail2ban-client unban IP (replace IP with yours) to manually unblock yourself.

Legacy Option: Using rsyslog Backend

The following configuration uses the rsyslog backend and works as is by default for Proxmox VE 3 up to Proxmox VE 7.

Note, if you installed from Proxmox VE 8 or newer the rsyslog package won't be installed by default, so you either need to install the rsyslog package or use the recommended systemd variant above.

Add the following string to the end of this file /etc/fail2ban/jail.local:

[proxmox]
enabled = true
port = https,http,8006
filter = proxmox
logpath = /var/log/daemon.log
maxretry = 3
bantime = 1h

Then continue to follow above guide by create the filter file /etc/fail2ban/filter.d/proxmox.conf like described above in #Filter Config and restart fail2ban.

Links