Part 2 - fail2ban on a proxmox host
Part 1 was about the insecure service (rpc) which is rolled out in the default proxmox installation. You can find the article here. In this article we want to further secure our proxmox server and slow down bruteforce attacks at least once by temporarily blocking them.
How fail2ban works
fail2ban checks in logs for failed logins. These are usually filtered and monitored via regex. If a user tries to log in and uses the wrong password, the counter for the corresponding IP goes up. If the counter reaches a configurable threshold, fail2ban will create a temporary (time is also configurable) iptables entry and block access to the corresponding service.
Installing fail2ban
Installation is as simple as configuration.
1
apt install fail2ban
I’m going to assume that you are using Debian…. of course the package is available in all major distros :-) .
After that, you should briefly check if the service is already in autostart:
1
systemctl status fail2ban.service
Configuration of fail2ban
fail2ban comes with a set of automatic modules that check for failed logins. Unfortunately, there is currently no module for proxmox in the default. But that doesn’t matter, the configuration is explained in the official documentation and is really simple.
In the (to be created) /etc/fail2ban/jail.d/proxmox.conf we add the following code snippet. Here we specify the corresponding services and the logfile. Here maxretry defines the number of failed logins and bantime the time the IP will be blocked afterwards.
1
2
3
4
5
6
7
8
[proxmox]
enabled = true
port = https,http,8006
filter = proxmox
logpath = /var/log/daemon.log
maxretry = 3
# 1 hour
bantime = 3600
Now we have to create a configfile for the filter. For this we create the file /etc/fail2ban/filter.d/proxmox.conf and add the following content:
1
2
3
[definition]
failregex = pvedaemon\[.*authentication failure; rhost=<HOST> user=.* msg=.*
ignoreregex =.
Now the service fail2ban must be restarted briefly (systemctl restart fail2ban). In the logfile /var/log/fail2ban.log now also the fail proxmox should show up:
1
2
2021-03-03 17:45:32,928 fail2ban.jail [49691]: INFO Jail 'sshd' started
2021-03-03 17:45:32,928 fail2ban.jail [49691]: INFO Jail 'proxmox' started
Test
If you want to test the configuration once, you can do it easily via the following command.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
fail2ban-regex /var/log/daemon.log /etc/fail2ban/filter.d/proxmox.conf
Running tests
=============
Use failregex filter file : proxmox, basedir: /etc/fail2ban
Use log file : /var/log/daemon.log
Use encoding : UTF-8
Results
=======
Failregex: 0 total
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [370] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
`-
Lines: 370 lines, 0 ignored, 0 matched, 370 missed
[processed in 0.01 sec]
Missed line(s): too many to print. Use --print-all-missed to print all 370 lines
iptables
In the iptables, an IP ban looks like this:
1
-A f2b-sshd -s IP.AD.DR.ESS/32 -j REJECT --reject-with icmp-port-unreachable
Of course, this can be resolved via this as well. Simply delete the iptables rule.