Fail2ban for Proxmox 3.1

[emanuelebruno]

Taking a look to this link http://pve.proxmox.com/wiki/Fail2ban seems that it lacks of updates for the newest Proxmox 3.1, so I have decide to write down the following guide (it is a traslation and adaptation to this guide http://wiki.csnu.org/index.php?title=Proxmox3#Prot.C3.A9ger_l.27interface_web_avec_fail2ban ) :

Protecting the web interface with fail2ban

aptitude install fail2ban

Add the following string to the end of this file /etc/fail2ban/jail.local :

[proxmox3]
enabled = true
port = https,http,8006
filter = proxmox3
logpath = /var/log/daemon.log
maxretry = 3
bantime = 3600 # 1 hour

Create the file /etc/fail2ban/filter.d/proxmox3.conf :

[Definition]
failregex = pvedaemon\[.*authentication failure; rhost=<HOST> user=.* msg=.*
ignoreregex =

You can test your configuration with the command :

fail2ban-regex /var/log/daemon.log /etc/fail2ban/filter.d/proxmox3.conf

Restart fail2ban:

/etc/init.d/fail2ban restart

PS Can you update your wiki?

 

[Cloudrck]

I was just looking around at Fail2ban for Proxmox. Thanks a lot for your contribution.

You should be able to create/request an account on the wiki and update it yourself.

 

[joelserrano]

I was also just looking for exactly this! Great work!

Thanks...

 

[FcbInfo]

+1 thanks for this =)

 

[m.ardito]

PS Can you update your wiki?

A bit late, but I just did it: http://pve.proxmox.com/wiki/Fail2ban

Cheers, Marco

 

[FcbInfo]

Hi there, you forgot about to copy jail.conf to jail.local before edit the file.

For users without experience with fail to ban, its not easy to understand.

Nice wiki update =)

 

[m.ardito]

For users without experience with fail to ban, its not easy to understand.

as I am, sadly :-D
I hope it is ok now?

Marco

 

[FcbInfo]

YEAH... this is oks.

Now we have updated docs to install fail2ban on proxmox servers without need to open a lot of posts and pages =)

Thank you for it m.ardito!

 

[Ovidiu]

Would these instructions be compatible with Proxmox 4 and the firewall it uses? And does one have to turn the node firewall on in the GUI or is this independent?

 

[Okumba]

Would these instructions be compatible with Proxmox 4 and the firewall it uses? And does one have to turn the node firewall on in the GUI or is this independent?

I would like to ask this too, is Proxmox 4.1 compatible with fail2ban?

 

[cyp]

I would like to ask this too, is Proxmox 4.1 compatible with fail2ban?

Yes, it's work perfectly on my Proxmox 4.1 servers.

 

[Okumba]

Yes, it's work perfectly on my Proxmox 4.1 servers.

thank you, used the wiki article and tested it, works wonderful.

 

[seir]

As Debian is switching to systemd, I would recommend starting/enabling the service as follows:

# systemctl start fail2ban
# systemctl enable fail2ban


And while we're at it, change proxmox3 to proxmox4 for the sake of being nitpicky.

/etc/fail2ban/jail.local

[proxmox4]
enabled = true
port = https,http,8006
filter = proxmox4
logpath = /var/log/daemon.log
maxretry = 3
bantime = 3600

/etc/fail2ban/filter.d/proxmox4.conf

[Definition]
failregex = pvedaemon\[.*authentication failure; rhost=<HOST> user=.* msg=.*
ignoreregex =

 

[nbeam]

The only thing I would add is that I had to reboot my node (not sure why) in order for this to take affect. After I did that it started working. I scratched my head for 30 minutes fiddling about with the config files (the regex checked out when I ran the command to check for matches and the fail2ban.log file showed that the service was running... hence I was a bit frustrated) I did note that iptables wasn't showing and banned ip's... Speaking of which, if you want to see banned IP's in your IPtables, this works well:

iptables -L fail2ban-proxmox

or perhaps (depending on your file naming scheme for fail2ban config file):

iptables -L fail2ban-proxmox3

iptables -L fail2ban-proxmox4

One other note, I am running firewalls across the board. Datacenter, Node, and VM/Container on Proxmox 4.1. This DOES WORK with all of that enabled, it just took a reboot for it to start working for me.

Anyhow, thank you for the excellent contribution!

 

[wbumiller]

And while we're at it, change proxmox3 to proxmox4 for the sake of being nitpicky.

If the two are otherwise compatible why include the version number at all? ;-)

 

[nbeam]

If the two are otherwise compatible why include the version number at all? ;-)

Exactly

That is what I did with my config.