I have no clue how to submit to the wiki so I will post what i did to get this running.
My objective was to implement Fail2Ban on the Proxmox host to monitor and ban IP addresses that make brute force attempts to gain access to the web interface or ssh command shell. I've successfully tested this on my pilot server and it seems to be running well.
Steps.
Update repositories
Install Fail2Ban
Now we want to make copies of config files for backup purposes
Now we want to create the fail2ban filter file which tells what to look for in the logs in order to trigger the ban
copy and paste code below into proxmox.conf
Hit CTRL X then hit Y (if prompted) to save/overwrite proxmox.conf
Now we want to edit the jail.local (not jail.conf) file to specify our proxmox settings
scroll down until you find the Jails section and locate
this section
Copy and paste the code below directly above [ssh]
It shoud look like this
Hit CTRL X then hit Y (if prompted) to save/overwrite jail.local
Now want to restart Fail2Ban
Now we want to test the new rules work
This above command should tell you if your filter is parsing the log files correctly and returning results. This is how mine looks after a few failed login attempts
(ip addresses masked)
Put fail2ban to the test by logging in with a made up username and password to the Proxmox web interface. After the 3rd incorrect login you should no longer be able to get to the page. By default the IP address will be banned for 10 minutes.
Now you will want to remove the ban. Go back into the command line and type
Which should give you numbered lines of IP addresses banned by proxmox which looks like this
To unban an IP type in
Where the number 1 represents the line number from the prior command.
You should now have access to the proxmox web interface again.
Fail2Ban is working correctly!
To change the amount of time an IP address is banned
Look for
and change that to the number of seconds you would like for IP addresses to be banned
To add your IP address to the ignore list
Look for
and add your IP address.
I will be adding more to this as I test. Please let me know if and how this work out for you.
My objective was to implement Fail2Ban on the Proxmox host to monitor and ban IP addresses that make brute force attempts to gain access to the web interface or ssh command shell. I've successfully tested this on my pilot server and it seems to be running well.
Steps.
Update repositories
Code:
apt-get update
Install Fail2Ban
Code:
apt-get install fail2ban
Code:
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
cp /etc/fail2ban/fail2ban.conf /etc/fail2ban/fail2ban.local
Code:
nano /etc/fail2ban/filter.d/proxmox.conf
Code:
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision: 569 $
#
[Definition]
# Option: failregex
# Notes.: regex to match the password failure messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT
#
failregex = ^<HOST> -.*POST.*/1\.1.* 403 1383
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
Now we want to edit the jail.local (not jail.conf) file to specify our proxmox settings
Code:
nano /etc/fail2ban/jail.local
this section
Code:
[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 6
Code:
[proxmox]
enabled = true
port = https,http
filter = proxmox
logpath = /var/log/apache*/access.log
maxretry = 3
Code:
[proxmox]
enabled = true
port = https,http
filter = proxmox
logpath = /var/log/apache*/access.log
maxretry = 3
[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 6
Now want to restart Fail2Ban
Code:
/etc/init.d/fail2ban restart
Code:
/usr/bin/fail2ban-regex /var/log/apache2/access.log /etc/fail2ban/filter.d/proxmox.conf
(ip addresses masked)
Code:
Running tests
=============
Use regex file : /etc/fail2ban/filter.d/proxmox.conf
Use log file : /var/log/apache2/access.log
Results
=======
Failregex
|- Regular expressions:
| [1] ^<HOST> -.*POST.*/1\.1.* 403 1383
|
`- Number of matches:
[1] 21 match(es)
Ignoreregex
|- Regular expressions:
|
`- Number of matches:
Summary
=======
Addresses found:
[1]
xxx.xxx.xxx.xxx (Fri Mar 19 09:54:42 2010)
xxx.xxx.xxx.xxx (Fri Mar 19 09:54:47 2010)
xxx.xxx.xxx.xxx (Fri Mar 19 09:54:53 2010)
xxx.xxx.xxx.xxx (Fri Mar 19 13:00:25 2010)
xxx.xxx.xxx.xxx (Fri Mar 19 13:00:31 2010)
xxx.xxx.xxx.xxx (Fri Mar 19 13:00:36 2010)
xxx.xxx.xxx.xxx (Fri Mar 19 13:08:31 2010)
xxx.xxx.xxx.xxx (Fri Mar 19 13:14:08 2010)
xxx.xxx.xxx.xxx (Fri Mar 19 13:14:13 2010)
xxx.xxx.xxx.xxx (Fri Mar 19 13:14:44 2010)
Date template hits:
0 hit(s): Month Day Hour:Minute:Second
0 hit(s): Weekday Month Day Hour:Minute:Second Year
0 hit(s): Weekday Month Day Hour:Minute:Second
0 hit(s): Year/Month/Day Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
164 hit(s): Day/Month/Year:Hour:Minute:Second
0 hit(s): Year-Month-Day Hour:Minute:Second
0 hit(s): Day-Month-Year Hour:Minute:Second[.Millisecond]
0 hit(s): TAI64N
0 hit(s): Epoch
0 hit(s): ISO 8601
Success, the total number of match is 21
However, look at the above section 'Running tests' which could contain important
information.
Now you will want to remove the ban. Go back into the command line and type
Code:
iptables -L fail2ban-proxmox -n -v --line-numbers
Code:
proxmox:/etc/fail2ban# iptables -L fail2ban-proxmox -n -v --line-numbers
Chain fail2ban-proxmox (1 references)
num pkts bytes target prot opt in out source destina tion
1 8 389 DROP all -- * * 192.168.1.11 0.0.0.0 /0
2 87 13396 RETURN all -- * * 0.0.0.0/0 0.0.0.0 /0
Code:
iptables -D fail2ban-proxmox 1
You should now have access to the proxmox web interface again.
Fail2Ban is working correctly!
To change the amount of time an IP address is banned
Code:
nano /etc/fail2ban/jail.local
Code:
bantime = 600
To add your IP address to the ignore list
Code:
nano /etc/fail2ban/jail.local
Code:
ignoreip = 127.0.0.1
I will be adding more to this as I test. Please let me know if and how this work out for you.
Last edited: