fail2ban on PBS 3

what does the log show on a failed attempt?
 
dcsapak said:
what does the log show on a failed attempt?
Click to expand...
Actually the failure is recorded in /var/log/proxmox-backup/api/auth.log:

"authentication failure; rhost=[::ffff:10.100.0.10]:60267 user=fake@pam msg=user account disabled or expired."

I must have missed it the first time - the log file is huge. When I follow the log with tail I see it's writing a successful auth entry a couple of times a second:

"2023-08-24T18:32:56+10:00: successful auth for user 'root@pam'"

Is this normal?
 
johnoatwork said:
When I follow the log with tail I see it's writing a successful auth entry a couple of times a second:

"2023-08-24T18:32:56+10:00: successful auth for user 'root@pam'"

Is this normal?
Click to expand...
depends what how many clients connect and what they do.
e.g. each pve connects every 10 seconds to the pbs if there is a pbs storage configured, so if you have a few, that can increase that log
(you should be able to prevent those logs when using api tokens instead of the root user directly)
 
Thanks Dominik. There are 3 nodes each accessing several datastores on PBS so that would explain it. I'm not familiar with "using api tokens instead of the root user directly" but I'll have a look into it. Anyway I'm not particularly concerned about it and log rotation seems to be working.

The second issue I'm having is configuring fail2ban for SSH on PBS. The guide at https://github.com/inettgmbh/fail2ban-proxmox-backup-server works well for gui/api access but initially fail2ban wouldn't start. It seems SSHD is enabled by default and fail2ban it's looking for the SSH logs at /var/log/auth.log. Creating that file allows fail2ban to start, but SSHD doesn't write its logs there or to /var/log/proxmox-backup/api/auth.log.

Do you know where SSHD logs it's messages on PBS?
 
since the underlying system is normal debian, /var/log/auth.log should be the log where sshd writes to (just verified on a pbs installation)
 
dcsapak said:
since the underlying system is normal debian, /var/log/auth.log should be the log where sshd writes to (just verified on a pbs installation)
Click to expand...
Interesting. /var/log/auth.log didn't exist on my PBS3 installation until I created it and SSHD isn't writing to it. /etc/ssh/sshd_config has the default config for logging (SyslogFacility AUTH). I have no idea where SSHD is writing it's logs!
 
probably rsyslog is not installed and it's only logged into the journal?
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom