Hi,
we are trying to use fail2ban on a host and use the Proxmox Firewall feature in order to block / open ports.
In my PVE host (datacenter layer), I have these firewall rules configured:
Security-Group "default-host" =>
Accept SSH (TCP port 22)
Accept GUI (TCP Port 8006)
Now I also have fail2ban configured, and as example here is the SSHd jail:
The jail also works - it successfully detects bruteforcers and bans them:
It puts them into the iptables chain "f2b-sshd":
However, it seems that this CHAIN is getting overruled or something else - because the IP can still reach the host and keep on bruteforcing.
I see that the "default-host" chain that I created is at the top of "iptables -L":
So, my question is: Is there a way to use fail2ban in combination with the Proxmox firewall? Like set the priority of the bans higher? Or any other idea? Thank you guys for your help!
we are trying to use fail2ban on a host and use the Proxmox Firewall feature in order to block / open ports.
In my PVE host (datacenter layer), I have these firewall rules configured:
Security-Group "default-host" =>
Accept SSH (TCP port 22)
Accept GUI (TCP Port 8006)
Now I also have fail2ban configured, and as example here is the SSHd jail:
Code:
[sshd]
# To use more aggressive sshd modes set filter parameter "mode" in jail.local:
# normal (default), ddos, extra or aggressive (combines all).
# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.
#mode = normal
port = ssh
logpath = journal
backend = systemd
findtime = 1h
bantime = 4h
maxretry = 10
The jail also works - it successfully detects bruteforcers and bans them:
Code:
2024-01-22 12:02:36,153 fail2ban.filter [478379]: INFO [sshd] Found xx - 2024-01-22 12:02:35
2024-01-22 12:02:38,016 fail2ban.filter [478379]: INFO [sshd] Found xx - 2024-01-22 12:02:37
2024-01-22 12:02:40,947 fail2ban.filter [478379]: INFO [sshd] Found xx - 2024-01-22 12:02:40
2024-01-22 12:02:44,016 fail2ban.filter [478379]: INFO [sshd] Found xx - 2024-01-22 12:02:43
2024-01-22 12:02:44,100 fail2ban.actions [478379]: WARNING [sshd] xx already banned
It puts them into the iptables chain "f2b-sshd":
Code:
Chain f2b-sshd (1 references)
target prot opt source destination
REJECT all -- xx anywhere reject-with icmp-port-unreachable
However, it seems that this CHAIN is getting overruled or something else - because the IP can still reach the host and keep on bruteforcing.
I see that the "default-host" chain that I created is at the top of "iptables -L":
Code:
Chain GROUP-default-host-IN (1 references)
target prot opt source destination
MARK all -- anywhere anywhere MARK and 0x7fffffff
PVEFW-SET-ACCEPT-MARK tcp -- anywhere anywhere [goto] tcp dpt:ssh
So, my question is: Is there a way to use fail2ban in combination with the Proxmox firewall? Like set the priority of the bans higher? Or any other idea? Thank you guys for your help!