securing PMG GUI root and other users

V

velocity08

Active Member
May 25, 2019
246
16
38
48
Hi All

i've been doing some searches for securing the PMG web GUI for the root user and haven't come across anything specific.

Is there an option for 2fa?
Would there bay any issues if we installed Fail2Ban?
Nothing is jumping out in the Administrators guide.

any assistance would be greatly appreciated.

""Cheers
G
 
velocity08 said:
Is there an option for 2fa?
Click to expand...
currently this is not implemented - we have it on the roadmap though - no timeframe when this will available though

velocity08 said:
Would there bay any issues if we installed Fail2Ban?
Click to expand...
not to my knowledge
fail2ban should work and not interfere with PMG (unless you configure it to block smtp-traffic and are too harsh on the limits)

I hope this helps!
 
  • Like
Reactions: velocity08
Good morning.

I just logged in to ask exactly the same question! :)
I was expecting that 2FA needs implementation to happen however my question is:
To use Fail2Ban it needs to be examining the logs which clearly indicate remote IP and login result (the failures).
Which logfile is that?

Nikole
 
Nikole said:
To use Fail2Ban it needs to be examining the logs which clearly indicate remote IP and login result (the failures).
Which logfile is that?
Click to expand...

/var/log/pmgproxy/pmgproxy.log is basically the access log
 
oguz said:
/var/log/pmgproxy/pmgproxy.log is basically the access log
Click to expand...

Hm...
I have seen this log but it does not appear to be showing whether a login attempt was successful or failed.
Here is an example of 2 failed attemtps. (The POST lines)
-------------------
Code: 
192.168.2.10 - - [10/09/2020:10:54:58 +0100] "GET / HTTP/1.1" 200 710
192.168.2.10 - - [10/09/2020:10:54:58 +0100] "GET /pve2/ext6/theme-crisp/resources/theme-crisp-all.css HTTP/1.1" 200 68
192.168.2.10 - - [10/09/2020:10:54:58 +0100] "GET /pve2/css/ext6-pmg.css?ver=2.2-2 HTTP/1.1" 200 1583
192.168.2.10 - - [10/09/2020:10:54:58 +0100] "GET /fontawesome/css/font-awesome.css HTTP/1.1" 200 7289
192.168.2.10 - - [10/09/2020:10:54:58 +0100] "GET /pve2/ext6/theme-crisp/resources/theme-crisp-all_2.css HTTP/1.1" 200 5208
192.168.2.10 - - [10/09/2020:10:54:58 +0100] "GET /pve2/ext6/crisp/resources/charts-all.css HTTP/1.1" 200 995
192.168.2.10 - - [10/09/2020:10:54:58 +0100] "GET /pwt/css/ext6-pmx.css?ver=2.2-8 HTTP/1.1" 200 697
192.168.2.10 - - [10/09/2020:10:54:59 +0100] "GET /proxmoxlib.js?ver=2.2-8 HTTP/1.1" 200 52351
192.168.2.10 - - [10/09/2020:10:54:59 +0100] "GET /pve2/ext6/ext-all.js HTTP/1.1" 200 609692
192.168.2.10 - - [10/09/2020:10:54:59 +0100] "GET /pve2/ext6/charts.js HTTP/1.1" 200 100383
192.168.2.10 - - [10/09/2020:10:54:59 +0100] "GET /pve2/ext6/theme-crisp/resources/theme-crisp-all_1.css HTTP/1.1" 200 33744
192.168.2.10 - - [10/09/2020:10:54:59 +0100] "GET /pve2/ext6/locale/locale-en.js HTTP/1.1" 200 2569
192.168.2.10 - - [10/09/2020:10:54:59 +0100] "GET /pve2/js/pmgmanagerlib.js?ver=2.2-2 HTTP/1.1" 200 56716
192.168.2.10 - - [10/09/2020:10:54:59 +0100] "GET /pve2/ext6/theme-crisp/resources/images/form/trigger.png HTTP/1.1" 200 17627
192.168.2.10 - - [10/09/2020:10:54:59 +0100] "GET /pve2/images/proxmox_logo.png HTTP/1.1" 200 2809
192.168.2.10 - - [10/09/2020:10:55:00 +0100] "GET /pve2/images/logo-128.png HTTP/1.1" 200 4977
192.168.2.10 - root@pam [10/09/2020:10:55:02 +0100] "GET /api2/json/nodes/antispam/rrddata?timeframe=hour&cf=AVERAGE HTTP/1.1" 200 4196
192.168.2.10 - - [10/09/2020:10:55:06 +0100] "GET /pve2/ext6/theme-crisp/resources/images/loadmask/loading.gif HTTP/1.1" 200 1849
192.168.2.10 - - [10/09/2020:10:55:09 +0100] "POST /api2/extjs/access/ticket HTTP/1.1" 200 75
192.168.2.10 - - [10/09/2020:10:55:10 +0100] "GET /pve2/ext6/theme-crisp/resources/images/tools/tool-sprites.png HTTP/1.1" 200 24404
192.168.2.10 - - [10/09/2020:10:55:10 +0100] "GET /pve2/ext6/theme-crisp/resources/images/shared/icon-error.png HTTP/1.1" 200 18494
192.168.2.10 - - [10/09/2020:10:55:18 +0100] "POST /api2/extjs/access/ticket HTTP/1.1" 200 75

This cannot be used obviously... :confused:
 
the authentication failures are logged in the journal:
Code: 
Sep 10 13:03:21 pmg pmgdaemon[1138]: authentication failure; rhost=192.0.2.200 user=root@pam msg=auth failed: Authentication failure at /usr/share/perl5/PMG/AccessControl.pm

I hope this helps!
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back