How To implement Fail2Ban on Host

[jvalla]

I have no clue how to submit to the wiki so I will post what i did to get this running.

My objective was to implement Fail2Ban on the Proxmox host to monitor and ban IP addresses that make brute force attempts to gain access to the web interface or ssh command shell. I've successfully tested this on my pilot server and it seems to be running well.

Steps.

Update repositories

apt-get update

Install Fail2Ban

apt-get install fail2ban

Now we want to make copies of config files for backup purposes

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
cp /etc/fail2ban/fail2ban.conf /etc/fail2ban/fail2ban.local

Now we want to create the fail2ban filter file which tells what to look for in the logs in order to trigger the ban

nano /etc/fail2ban/filter.d/proxmox.conf

copy and paste code below into proxmox.conf

# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision: 569 $
#

[Definition]

# Option:  failregex
# Notes.:  regex to match the password failure messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT
#

failregex = ^<HOST> -.*POST.*/1\.1.* 403 1383

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

Hit CTRL X then hit Y (if prompted) to save/overwrite proxmox.conf

Now we want to edit the jail.local (not jail.conf) file to specify our proxmox settings

nano /etc/fail2ban/jail.local

scroll down until you find the Jails section and locate
this section

[ssh]

enabled = true
port    = ssh
filter  = sshd
logpath  = /var/log/auth.log
maxretry = 6

Copy and paste the code below directly above [ssh]

[proxmox]

enabled = true
port    = https,http
filter  = proxmox
logpath  = /var/log/apache*/access.log
maxretry = 3

It shoud look like this

[proxmox]

enabled = true
port    = https,http
filter  = proxmox
logpath  = /var/log/apache*/access.log
maxretry = 3

[ssh]

enabled = true
port    = ssh
filter  = sshd
logpath  = /var/log/auth.log
maxretry = 6

Hit CTRL X then hit Y (if prompted) to save/overwrite jail.local

Now want to restart Fail2Ban

/etc/init.d/fail2ban restart

Now we want to test the new rules work

/usr/bin/fail2ban-regex /var/log/apache2/access.log /etc/fail2ban/filter.d/proxmox.conf

This above command should tell you if your filter is parsing the log files correctly and returning results. This is how mine looks after a few failed login attempts
(ip addresses masked)

Running tests
=============

Use regex file : /etc/fail2ban/filter.d/proxmox.conf
Use log file   : /var/log/apache2/access.log


Results
=======

Failregex
|- Regular expressions:
|  [1] ^<HOST> -.*POST.*/1\.1.* 403 1383
|
`- Number of matches:
   [1] 21 match(es)

Ignoreregex
|- Regular expressions:
|
`- Number of matches:

Summary
=======

Addresses found:
[1]
    xxx.xxx.xxx.xxx (Fri Mar 19 09:54:42 2010)
    xxx.xxx.xxx.xxx (Fri Mar 19 09:54:47 2010)
    xxx.xxx.xxx.xxx (Fri Mar 19 09:54:53 2010)
    xxx.xxx.xxx.xxx (Fri Mar 19 13:00:25 2010)
    xxx.xxx.xxx.xxx (Fri Mar 19 13:00:31 2010)
    xxx.xxx.xxx.xxx (Fri Mar 19 13:00:36 2010)
    xxx.xxx.xxx.xxx (Fri Mar 19 13:08:31 2010)
    xxx.xxx.xxx.xxx (Fri Mar 19 13:14:08 2010)
    xxx.xxx.xxx.xxx (Fri Mar 19 13:14:13 2010)
    xxx.xxx.xxx.xxx (Fri Mar 19 13:14:44 2010)

Date template hits:
0 hit(s): Month Day Hour:Minute:Second
0 hit(s): Weekday Month Day Hour:Minute:Second Year
0 hit(s): Weekday Month Day Hour:Minute:Second
0 hit(s): Year/Month/Day Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
164 hit(s): Day/Month/Year:Hour:Minute:Second
0 hit(s): Year-Month-Day Hour:Minute:Second
0 hit(s): Day-Month-Year Hour:Minute:Second[.Millisecond]
0 hit(s): TAI64N
0 hit(s): Epoch
0 hit(s): ISO 8601

Success, the total number of match is 21

However, look at the above section 'Running tests' which could contain important
information.

Put fail2ban to the test by logging in with a made up username and password to the Proxmox web interface. After the 3rd incorrect login you should no longer be able to get to the page. By default the IP address will be banned for 10 minutes.

Now you will want to remove the ban. Go back into the command line and type

iptables -L fail2ban-proxmox -n -v --line-numbers

Which should give you numbered lines of IP addresses banned by proxmox which looks like this

proxmox:/etc/fail2ban# iptables -L fail2ban-proxmox -n -v --line-numbers
Chain fail2ban-proxmox (1 references)
num   pkts bytes target     prot opt in     out     source               destina                                  tion
1        8   389 DROP       all  --  *      *       192.168.1.11         0.0.0.0                                  /0
2       87 13396 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0                                  /0

To unban an IP type in

iptables -D fail2ban-proxmox 1

Where the number 1 represents the line number from the prior command.
You should now have access to the proxmox web interface again.

Fail2Ban is working correctly!

To change the amount of time an IP address is banned

nano /etc/fail2ban/jail.local

Look for

bantime  = 600

and change that to the number of seconds you would like for IP addresses to be banned

To add your IP address to the ignore list

nano /etc/fail2ban/jail.local

Look for

ignoreip = 127.0.0.1

and add your IP address.


I will be adding more to this as I test. Please let me know if and how this work out for you.

 

[udo]

Hi,
thanks for the good description - you should add this to the wiki (you must add a account for the wiki - simple with the same name like at the forum).

Udo

 

[jvalla]

I made a couple of changes and ran through the setup on a clean install of proxmox. Works like a charm.

 

[raid]

Is there any way for fail2ban to monitor the VM logs also?
Would be fine installing it into the host and monitoring the VM too and not only for SSH.
Does anyone know if it can monitor multiple log path and files at once?
Maybe used in conjunction with shorewall behind a NAT...

 

[jva1601]

I use fail2ban to protect my open vz containers now I can use it to protect my proxmox host. Thank you very much for the clear thorough tutorial!

 

[proxymoxy]

Haven't tried it yet (still waiting for proxmox 2.0 and hopefully doesn't take as long as centos

But the guide looks great and I appreciate it! Thanks1

 

[kilobit]

Jvalla thanks a million for posting this, we need more tutorials like this!

 

[udi]

hi,

this is your regex:

failregex = ^<HOST> -.*POST.*/1\.1.* 403 1383

but in my logfile the number after 403 is 1395.
i decided to remove 1383 from the end of regex (better than change it to 1395).
now my regex is: ^<HOST> -.*POST.*/1\.1.* 403

is it ok this way?

thank you
u.

 

[Daraiko]

Hi,

I have tried this in 2.x, but it does not seems to work.. i have changed the ports.
Is there anyone who has have implemented this successfully in proxmox 2.x ??

 

[xcooling]

the webgui in 2.0+ does NOT log failed login attempts to /var/log/apache2/access.log , this is why the above fail2ban no longer works.

I have rewritten the scripts to work with proxmox2, and will be published once they pass QA

 

[TheReelaatiiv]

Proxmox VE 2.0+ logs authentication-attempts to /var/log/syslog and of course to /var/log/daemon.log

Jun 16 15:03:12 gw2 pvedaemon[425416]: authentication failure; rhost=<myip> user=nonexistuser@pam msg=no such user ('nonexistuser@pam')
Jun 16 15:03:28 gw2 pvedaemon[260092]: authentication failure; rhost=<myip> user=root@pam msg=Authentication failure

 

[xcooling]

Prevent Brute-forcing of logins for Proxmox 2 +
guide is here: http://extremeshok.com/blog/?page_id=810

 

[emanuelebruno]

according to this web site http://extremeshok.com/blog/debian/...stallation-fail2ban-sysctl-hosts-ip-spoofing/ , I have met this message after digiting "fail2ban-regex /var/log/daemon.log /etc/fail2ban/filter.d/proxmox2.conf" command:

***
/usr/share/fail2ban/server/filter.py:442: DeprecationWarning: the md5 module is deprecated; use hashlib instead
import md5

Running tests
=============

Use regex file : /etc/fail2ban/filter.d/proxmox2.conf
Use log file : /var/log/daemon.log


Results
=======

Failregex
|- Regular expressions:
| [1] pvedaemon\[.*authentication failure; rhost=<HOST> user=.*msg=.*
|
`- Number of matches:
[1] 0 match(es)

Ignoreregex
|- Regular expressions:
|
`- Number of matches:

Summary
=======

Sorry, no match

Look at the above section 'Running tests' which could contain important
information.
***
I have copied exactly as in the web site.... anyone met this error?
Sincerely,
Emanuele Bruno.

 

[xcooling]

THATS NOT AN ERROR.
it is telling you, you have no matches, ie. no one has been brute forcing the interface according to the current logs

 

[chrisduncansb]

So I implemented the above step by step in my Proxmox 1.7 install. The SSH fail2ban is working, but http/https doesn't seem to work. I can continue to attempt to log in after 3 failed attempts, and the

I can see the log in attempts in the apache2/access.log and the summary under running tests is blank.

Any ideas what could be wrong?