Fail2Ban for VMs/containers

Discussion in 'Proxmox VE: Networking and Firewall' started by LnxBil, May 4, 2018.

  1. LnxBil

    LnxBil Well-Known Member

    Feb 21, 2015
    Likes Received:

    Does anyone use fail2ban also for monitoring and filtering entries of the PVE firewall itself? I'm explicitly NOT talking about the PVE host, but about VMs/containers that are firewalled via PVE and log entries in /var/log/pve-firewall.log. This could and should be possible in general.

  2. micush

    micush Member

    Jul 18, 2015
    Likes Received:
    I use fail2ban on all VMs and hosts. However, I don't use it to monitor PVE firewall log entries. I use it for its intended main purpose of banning brute force attacks over network sockets, mostly for SSH access.
  3. upnort

    upnort Member
    Proxmox VE Subscriber

    Apr 26, 2018
    Likes Received:
    I do not use fail2ban because I find the Proxmox firewall (FW) tools to be very good.

    Using the Proxmox FW "macro" options, I created some security groups that I apply to containers. For example, one group allows only infrastructure network subnets. Another group is for basic web servers. Another group for name servers. With those groups and basic FW design (drop all not allowed), the FW works nicely.

    For monitoring in the containers I run a home-made shell script in an hourly cron job to check the authentication log for typical intrusion attempt messages. The log is always empty of such messages, which indicates the FW is working correctly to drop intrusion attempts. I haven't received any email alerts from intrusion attempts in many months. The script does work because on one container server used by technicians I do receive email alerts from local login "fat finger" mistakes.

    I hope that helps. :)
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice