fail2ban & PVE 8.1 Firewall: f2b logs Ban and puts it into iptables, but its getting overriden by PVE Firewall

smaxxx

New Member
Aug 18, 2023
3
0
1
Hi,

we are trying to use fail2ban on a host and use the Proxmox Firewall feature in order to block / open ports.

In my PVE host (datacenter layer), I have these firewall rules configured:
Security-Group "default-host" =>
Accept SSH (TCP port 22)
Accept GUI (TCP Port 8006)

Now I also have fail2ban configured, and as example here is the SSHd jail:

Code:
[sshd]

# To use more aggressive sshd modes set filter parameter "mode" in jail.local:
# normal (default), ddos, extra or aggressive (combines all).
# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.
#mode   = normal
port    = ssh
logpath = journal
backend = systemd
findtime = 1h
bantime = 4h
maxretry = 10

The jail also works - it successfully detects bruteforcers and bans them:

Code:
2024-01-22 12:02:36,153 fail2ban.filter         [478379]: INFO    [sshd] Found xx - 2024-01-22 12:02:35
2024-01-22 12:02:38,016 fail2ban.filter         [478379]: INFO    [sshd] Found xx - 2024-01-22 12:02:37
2024-01-22 12:02:40,947 fail2ban.filter         [478379]: INFO    [sshd] Found xx - 2024-01-22 12:02:40
2024-01-22 12:02:44,016 fail2ban.filter         [478379]: INFO    [sshd] Found xx - 2024-01-22 12:02:43
2024-01-22 12:02:44,100 fail2ban.actions        [478379]: WARNING [sshd] xx already banned

It puts them into the iptables chain "f2b-sshd":
Code:
Chain f2b-sshd (1 references)
target     prot opt source               destination
REJECT     all  --  xx          anywhere             reject-with icmp-port-unreachable

However, it seems that this CHAIN is getting overruled or something else - because the IP can still reach the host and keep on bruteforcing.

I see that the "default-host" chain that I created is at the top of "iptables -L":
Code:
Chain GROUP-default-host-IN (1 references)
target     prot opt source               destination
MARK       all  --  anywhere             anywhere             MARK and 0x7fffffff
PVEFW-SET-ACCEPT-MARK  tcp  --  anywhere      anywhere            [goto]  tcp dpt:ssh

So, my question is: Is there a way to use fail2ban in combination with the Proxmox firewall? Like set the priority of the bans higher? Or any other idea? Thank you guys for your help!