Automated proxmox firewall management

L

LeeS

New Member
Mar 30, 2015
17
0
1
Hello :D

Firstly a big thank you to the Proxmox team for PVE. I have been using it in anger for several years now and it just keeps getting better and better. Life feels complete now that it has an integrated firewall! My inbound rules are very tight for all VMs/CTs within my cluster, but this doesn't prevent things like the mail server (which obviously needs to be accessible from everywhere on certain ports) being hammered by known nasties. I'm not necessarily talking spam as that is easily handled by other means, but rather the non-stop AUTH brute-force attempts, etc. etc. etc.

So I started a project. It's time to give something back to the Proxmox team, and the community at large.

MAFIA for Proxmox VE is born. No - not the Italian chaps with concrete boots for people who annoy them; the Modular Automated Firewall Interface Application. Eventually there are grand plans for it. Right now, it's very simple. It takes lists of bad guys from across the internet on regular intervals, and pumps them into an IPSet. This IPSet (depending on how you configure it) can then be used to globally block access to your cluster, or on a per-VM/CT basis. Up to you.

SOURCES:
  1. OpenBL Base
  2. Spamhaus DROP and EDROP
  3. Blocklist.de STRONGIPS
  4. ISC DSHIELD
  5. Emerging Threats CINS

These 6 sources provide a good mix of long-term evidenced poor reputation, and newly emerging threat protection. You can also add your own sources (how to do so is somewhat left as an exercise for the user at this point), but the layout of the scripts should be easy enough to follow for anyone with a rudimentary knowledge of bash scripts). More sources will be added in future releases.

MAFIA is released under GPL v3 and lives here: https://mafia.network
 
Last edited:
version 0.4 released. Now includes script to automatically expire firewall entries based on age and the OpenBL delisted file.
 
I'm voting to use fail2ban and only create the centralized blacklists for. Maybe a call of extension for fail2ban? :rolleyes:

Because fail2ban creates your own blacklist depends on your systems, i don't trust spamhouse and co. If u use blacklists from the internet u lose control also.

We have unwanted visitors from russia, kirgisistan, ukraine and others last weekend, ~3000 computers are trying to come in via ftp, http-php stuff, ssh, sasl and more.
Unfortunately a staff member has forgotten to close port 3306, so we got remembered the hard way. :-(

But we have wanted visitors from there also, so block russia is no option! :D
 
LeeS said:
Hello :D

Firstly a big thank you to the Proxmox team for PVE. I have been using it in anger for several years now and it just keeps getting better and better. Life feels complete now that it has an integrated firewall! My inbound rules are very tight for all VMs/CTs within my cluster, but this doesn't prevent things like the mail server (which obviously needs to be accessible from everywhere on certain ports) being hammered by known nasties. I'm not necessarily talking spam as that is easily handled by other means, but rather the non-stop AUTH brute-force attempts, etc. etc. etc.

So I started a project. It's time to give something back to the Proxmox team, and the community at large.

MAFIA for Proxmox VE is born. No - not the Italian chaps with concrete boots for people who annoy them; the Modular Automated Firewall Interface Application. Eventually there are grand plans for it. Right now, it's very simple. It takes lists of bad guys from across the internet on regular intervals, and pumps them into an IPSet. This IPSet (depending on how you configure it) can then be used to globally block access to your cluster, or on a per-VM/CT basis. Up to you.

SOURCES:
  1. OpenBL Base
  2. Spamhaus DROP and EDROP
  3. Blocklist.de STRONGIPS
  4. ISC DSHIELD
  5. Emerging Threats CINS

These 6 sources provide a good mix of long-term evidenced poor reputation, and newly emerging threat protection. You can also add your own sources (how to do so is somewhat left as an exercise for the user at this point), but the layout of the scripts should be easy enough to follow for anyone with a rudimentary knowledge of bash scripts). More sources will be added in future releases.

MAFIA is released under GPL v3 and lives here: https://mafia.network
Click to expand...

Excellent project! I currently do the same with a few lists at my network edge with pfBlockerNG using pfSense.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back