Fail2ban Proxmox 9

[filippoclikkami]

Hi, i'm testing pve 9 and just install fail2ban. There's some differences from pve 8, like syslog that isn't installed by default anymore. So which is the best and "compliance" way for the latest version of debian and pve. Talking about where to send the log, how to set the filter... documentation isn't updated.

Can someone help?

Actual filter.d:

[Definition]
failregex = ^.*pvedaemon\[.*\]: authentication failure; rhost=<HOST> user=.* msg=.*$
ignoreregex =

Actual jail.local:

[DEFAULT]
ignoreip = myip
bantime = 3600
findtime = 600
maxretry = 3

[proxmox]
enabled = true
port = https,http,8006
filter = proxmox
logpath = /var/log/syslog
maxretry = 3
# 1 hour
bantime = 3600

[sshd]
port = ssh
logpath = %(sshd_log)s
enabled = true

 

[Daniel-Doggy]

I only needed to change fail2ban to use systemd for the log output.
See: https://github.com/Daniel-Doggy/proxmox-ve-scripts/tree/master/files/Proxmox-VE

 

[filippoclikkami]

So you only specified backend and remove logpah in both the jails? Which in my case means:

jail.local:

[DEFAULT]
ignoreip = myip
bantime = 3600
findtime = 600
maxretry = 3
backend = systemd

[proxmox]
enabled = true
port = https,http,8006
filter = proxmox
maxretry = 3
# 1 hour
bantime = 3600

[sshd]
port = ssh
enabled = true

Is it correct?

 

[JensF]

There is a "banaction" missing in the default section, right?

 

[Daniel-Doggy]

Ban action should not be needed.
Default is to block the IP for the ban duration.
@filippoclikkami your config look correct.
I would however really recommend to change the following:

findtime = 2d # but at minimum 1d since bruteforce attacks that just try once every 10 minutes will not be banned with 600. (600 = 10 minutes)

I would also really recommend to add:
bantime.increment = true
bantime.factor = 24
bantime.maxtime = 30d

This is to make bruteforce really not an option as this will first ban an IP for 1 hour after 3 login failures (if you keep the bantime at 3600) but add a day of ban time after the first ban and another 3 login failures.
So first ban is 1 hour, second ban is 1 day, third ban is 2 days, etc.

 

[Daniel-Doggy]

And for ssh you only need enabled = true
All the settings it need is already provided via sshd.conf that is part of fail2ban itself.

 

[filippoclikkami]

Ban action should not be needed.
Default is to block the IP for the ban duration.
@filippoclikkami your config look correct.
I would however really recommend to change the following:

findtime = 2d # but at minimum 1d since bruteforce attacks that just try once every 10 minutes will not be banned with 600. (600 = 10 minutes)

I would also really recommend to add:
bantime.increment = true
bantime.factor = 24
bantime.maxtime = 30d

This is to make bruteforce really not an option as this will first ban an IP for 1 hour after 3 login failures (if you keep the bantime at 3600) but add a day of ban time after the first ban and another 3 login failures.
So first ban is 1 hour, second ban is 1 day, third ban is 2 days, etc.

Thank you so much for advises, i'm finding the right tweaking for my purpose.

 

[Daniel-Doggy]

All good, I can also still remember the days that I just put things together and hoped it work in my early days. (And I still feel like the imposter every once in a while. )
Also after a couple of days, check how many IPs are currrently banned and have been banned overall.

On sshd I would expect a lot of IPs. (100+ IPs).
And on proxmox I would expect 1 to 2 IPs (But 0 is also normal given that port 8006 is scanned and tried way less as it not a common port.)

Assuming it is publicly accessible.^