Fail2Ban for VMs/containers

[LnxBil]

Hi,

Does anyone use fail2ban also for monitoring and filtering entries of the PVE firewall itself? I'm explicitly NOT talking about the PVE host, but about VMs/containers that are firewalled via PVE and log entries in /var/log/pve-firewall.log. This could and should be possible in general.

Best,
LnxBil

 

[micush]

I use fail2ban on all VMs and hosts. However, I don't use it to monitor PVE firewall log entries. I use it for its intended main purpose of banning brute force attacks over network sockets, mostly for SSH access.

 

[upnort]

I do not use fail2ban because I find the Proxmox firewall (FW) tools to be very good.

Using the Proxmox FW "macro" options, I created some security groups that I apply to containers. For example, one group allows only infrastructure network subnets. Another group is for basic web servers. Another group for name servers. With those groups and basic FW design (drop all not allowed), the FW works nicely.

For monitoring in the containers I run a home-made shell script in an hourly cron job to check the authentication log for typical intrusion attempt messages. The log is always empty of such messages, which indicates the FW is working correctly to drop intrusion attempts. I haven't received any email alerts from intrusion attempts in many months. The script does work because on one container server used by technicians I do receive email alerts from local login "fat finger" mistakes.

I hope that helps.