fail2ban & PVE 8.1 Firewall: f2b logs Ban and puts it into iptables, but its getting overriden by PVE Firewall

smaxxx

New Member
Aug 18, 2023
3
0
1
Hi,

we are trying to use fail2ban on a host and use the Proxmox Firewall feature in order to block / open ports.

In my PVE host (datacenter layer), I have these firewall rules configured:
Security-Group "default-host" =>
Accept SSH (TCP port 22)
Accept GUI (TCP Port 8006)

Now I also have fail2ban configured, and as example here is the SSHd jail:

Code:
[sshd]

# To use more aggressive sshd modes set filter parameter "mode" in jail.local:
# normal (default), ddos, extra or aggressive (combines all).
# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.
#mode   = normal
port    = ssh
logpath = journal
backend = systemd
findtime = 1h
bantime = 4h
maxretry = 10

The jail also works - it successfully detects bruteforcers and bans them:

Code:
2024-01-22 12:02:36,153 fail2ban.filter         [478379]: INFO    [sshd] Found xx - 2024-01-22 12:02:35
2024-01-22 12:02:38,016 fail2ban.filter         [478379]: INFO    [sshd] Found xx - 2024-01-22 12:02:37
2024-01-22 12:02:40,947 fail2ban.filter         [478379]: INFO    [sshd] Found xx - 2024-01-22 12:02:40
2024-01-22 12:02:44,016 fail2ban.filter         [478379]: INFO    [sshd] Found xx - 2024-01-22 12:02:43
2024-01-22 12:02:44,100 fail2ban.actions        [478379]: WARNING [sshd] xx already banned

It puts them into the iptables chain "f2b-sshd":
Code:
Chain f2b-sshd (1 references)
target     prot opt source               destination
REJECT     all  --  xx          anywhere             reject-with icmp-port-unreachable

However, it seems that this CHAIN is getting overruled or something else - because the IP can still reach the host and keep on bruteforcing.

I see that the "default-host" chain that I created is at the top of "iptables -L":
Code:
Chain GROUP-default-host-IN (1 references)
target     prot opt source               destination
MARK       all  --  anywhere             anywhere             MARK and 0x7fffffff
PVEFW-SET-ACCEPT-MARK  tcp  --  anywhere      anywhere            [goto]  tcp dpt:ssh

So, my question is: Is there a way to use fail2ban in combination with the Proxmox firewall? Like set the priority of the bans higher? Or any other idea? Thank you guys for your help!
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!