How To implement Fail2Ban on Host

Discussion in 'Proxmox VE 1.x: Installation and configuration' started by jvalla, Mar 19, 2010.

  1. jvalla

    jvalla New Member

    Joined:
    Feb 27, 2010
    Messages:
    27
    Likes Received:
    1
    I have no clue how to submit to the wiki so I will post what i did to get this running.

    My objective was to implement Fail2Ban on the Proxmox host to monitor and ban IP addresses that make brute force attempts to gain access to the web interface or ssh command shell. I've successfully tested this on my pilot server and it seems to be running well.

    Steps.

    Update repositories

    Code:
    apt-get update
    Install Fail2Ban

    Code:
    apt-get install fail2ban
    Now we want to make copies of config files for backup purposes

    Code:
    cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
    cp /etc/fail2ban/fail2ban.conf /etc/fail2ban/fail2ban.local
    Now we want to create the fail2ban filter file which tells what to look for in the logs in order to trigger the ban

    Code:
    nano /etc/fail2ban/filter.d/proxmox.conf
    copy and paste code below into proxmox.conf

    Code:
    # Fail2Ban configuration file
    #
    # Author: Cyril Jaquier
    #
    # $Revision: 569 $
    #
    
    [Definition]
    
    # Option:  failregex
    # Notes.:  regex to match the password failure messages in the logfile. The
    #          host must be matched by a group named "host". The tag "<HOST>" can
    #          be used for standard IP/hostname matching and is only an alias for
    #          (?:::f{4,6}:)?(?P<host>\S+)
    # Values:  TEXT
    #
    
    failregex = ^<HOST> -.*POST.*/1\.1.* 403 1383
    
    # Option:  ignoreregex
    # Notes.:  regex to ignore. If this regex matches, the line is ignored.
    # Values:  TEXT
    #
    ignoreregex = 
    Hit CTRL X then hit Y (if prompted) to save/overwrite proxmox.conf

    Now we want to edit the jail.local (not jail.conf) file to specify our proxmox settings

    Code:
    nano /etc/fail2ban/jail.local
    scroll down until you find the Jails section and locate
    this section

    Code:
    [ssh]
    
    enabled = true
    port    = ssh
    filter  = sshd
    logpath  = /var/log/auth.log
    maxretry = 6
    Copy and paste the code below directly above [ssh]

    Code:
    [proxmox]
    
    enabled = true
    port    = https,http
    filter  = proxmox
    logpath  = /var/log/apache*/access.log
    maxretry = 3
    
    It shoud look like this

    Code:
    [proxmox]
    
    enabled = true
    port    = https,http
    filter  = proxmox
    logpath  = /var/log/apache*/access.log
    maxretry = 3
    
    [ssh]
    
    enabled = true
    port    = ssh
    filter  = sshd
    logpath  = /var/log/auth.log
    maxretry = 6
    Hit CTRL X then hit Y (if prompted) to save/overwrite jail.local

    Now want to restart Fail2Ban

    Code:
    /etc/init.d/fail2ban restart
    Now we want to test the new rules work

    Code:
    /usr/bin/fail2ban-regex /var/log/apache2/access.log /etc/fail2ban/filter.d/proxmox.conf
    This above command should tell you if your filter is parsing the log files correctly and returning results. This is how mine looks after a few failed login attempts
    (ip addresses masked)

    Code:
    Running tests
    =============
    
    Use regex file : /etc/fail2ban/filter.d/proxmox.conf
    Use log file   : /var/log/apache2/access.log
    
    
    Results
    =======
    
    Failregex
    |- Regular expressions:
    |  [1] ^<HOST> -.*POST.*/1\.1.* 403 1383
    |
    `- Number of matches:
       [1] 21 match(es)
    
    Ignoreregex
    |- Regular expressions:
    |
    `- Number of matches:
    
    Summary
    =======
    
    Addresses found:
    [1]
        xxx.xxx.xxx.xxx (Fri Mar 19 09:54:42 2010)
        xxx.xxx.xxx.xxx (Fri Mar 19 09:54:47 2010)
        xxx.xxx.xxx.xxx (Fri Mar 19 09:54:53 2010)
        xxx.xxx.xxx.xxx (Fri Mar 19 13:00:25 2010)
        xxx.xxx.xxx.xxx (Fri Mar 19 13:00:31 2010)
        xxx.xxx.xxx.xxx (Fri Mar 19 13:00:36 2010)
        xxx.xxx.xxx.xxx (Fri Mar 19 13:08:31 2010)
        xxx.xxx.xxx.xxx (Fri Mar 19 13:14:08 2010)
        xxx.xxx.xxx.xxx (Fri Mar 19 13:14:13 2010)
        xxx.xxx.xxx.xxx (Fri Mar 19 13:14:44 2010)
    
    Date template hits:
    0 hit(s): Month Day Hour:Minute:Second
    0 hit(s): Weekday Month Day Hour:Minute:Second Year
    0 hit(s): Weekday Month Day Hour:Minute:Second
    0 hit(s): Year/Month/Day Hour:Minute:Second
    0 hit(s): Day/Month/Year Hour:Minute:Second
    164 hit(s): Day/Month/Year:Hour:Minute:Second
    0 hit(s): Year-Month-Day Hour:Minute:Second
    0 hit(s): Day-Month-Year Hour:Minute:Second[.Millisecond]
    0 hit(s): TAI64N
    0 hit(s): Epoch
    0 hit(s): ISO 8601
    
    Success, the total number of match is 21
    
    However, look at the above section 'Running tests' which could contain important
    information.
    
    Put fail2ban to the test by logging in with a made up username and password to the Proxmox web interface. After the 3rd incorrect login you should no longer be able to get to the page. By default the IP address will be banned for 10 minutes.

    Now you will want to remove the ban. Go back into the command line and type

    Code:
    iptables -L fail2ban-proxmox -n -v --line-numbers
    Which should give you numbered lines of IP addresses banned by proxmox which looks like this

    Code:
    proxmox:/etc/fail2ban# iptables -L fail2ban-proxmox -n -v --line-numbers
    Chain fail2ban-proxmox (1 references)
    num   pkts bytes target     prot opt in     out     source               destina                                  tion
    1        8   389 DROP       all  --  *      *       192.168.1.11         0.0.0.0                                  /0
    2       87 13396 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0                                  /0
    
    To unban an IP type in

    Code:
    iptables -D fail2ban-proxmox 1
    Where the number 1 represents the line number from the prior command.
    You should now have access to the proxmox web interface again.

    Fail2Ban is working correctly!

    To change the amount of time an IP address is banned
    Code:
    nano /etc/fail2ban/jail.local
    Look for
    Code:
    bantime  = 600
    and change that to the number of seconds you would like for IP addresses to be banned

    To add your IP address to the ignore list
    Code:
    nano /etc/fail2ban/jail.local
    Look for
    Code:
    ignoreip = 127.0.0.1
    and add your IP address.


    I will be adding more to this as I test. Please let me know if and how this work out for you.
     
    #1 jvalla, Mar 19, 2010
    Last edited: Mar 20, 2010
  2. udo

    udo Well-Known Member
    Proxmox Subscriber

    Joined:
    Apr 22, 2009
    Messages:
    5,835
    Likes Received:
    159
    Hi,
    thanks for the good description - you should add this to the wiki (you must add a account for the wiki - simple with the same name like at the forum).

    Udo
     
  3. jvalla

    jvalla New Member

    Joined:
    Feb 27, 2010
    Messages:
    27
    Likes Received:
    1
    I made a couple of changes and ran through the setup on a clean install of proxmox. Works like a charm.
     
  4. raid

    raid Member

    Joined:
    Jul 25, 2010
    Messages:
    102
    Likes Received:
    0
    Is there any way for fail2ban to monitor the VM logs also?
    Would be fine installing it into the host and monitoring the VM too and not only for SSH.
    Does anyone know if it can monitor multiple log path and files at once?
    Maybe used in conjunction with shorewall behind a NAT...
     
  5. jva1601

    jva1601 Member

    Joined:
    Oct 19, 2010
    Messages:
    61
    Likes Received:
    1
    I use fail2ban to protect my open vz containers now I can use it to protect my proxmox host. Thank you very much for the clear thorough tutorial!
     
  6. proxymoxy

    proxymoxy New Member

    Joined:
    Jun 9, 2011
    Messages:
    28
    Likes Received:
    0
    Haven't tried it yet (still waiting for proxmox 2.0 and hopefully doesn't take as long as centos :)

    But the guide looks great and I appreciate it! Thanks1
     
  7. kilobit

    kilobit New Member

    Joined:
    Jul 17, 2011
    Messages:
    4
    Likes Received:
    0
    Jvalla thanks a million for posting this, we need more tutorials like this!
     
  8. udi

    udi Member

    Joined:
    Apr 1, 2011
    Messages:
    73
    Likes Received:
    0
    hi,

    this is your regex:

    failregex = ^<HOST> -.*POST.*/1\.1.* 403 1383

    but in my logfile the number after 403 is 1395.
    i decided to remove 1383 from the end of regex (better than change it to 1395).
    now my regex is: ^<HOST> -.*POST.*/1\.1.* 403

    is it ok this way?

    thank you
    u.
     
  9. Daraiko

    Daraiko New Member

    Joined:
    Mar 2, 2012
    Messages:
    22
    Likes Received:
    0
    Hi,

    I have tried this in 2.x, but it does not seems to work.. i have changed the ports.
    Is there anyone who has have implemented this successfully in proxmox 2.x ??
     
  10. xcooling

    xcooling New Member

    Joined:
    May 24, 2012
    Messages:
    28
    Likes Received:
    0
    the webgui in 2.0+ does NOT log failed login attempts to /var/log/apache2/access.log , this is why the above fail2ban no longer works.

    I have rewritten the scripts to work with proxmox2, and will be published once they pass QA
     
    #10 xcooling, Jun 16, 2012
    Last edited: Jun 16, 2012
  11. TheReelaatiiv

    TheReelaatiiv Member

    Joined:
    Mar 29, 2012
    Messages:
    89
    Likes Received:
    0
    Proxmox VE 2.0+ logs authentication-attempts to /var/log/syslog and of course to /var/log/daemon.log
    Code:
    Jun 16 15:03:12 gw2 pvedaemon[425416]: authentication failure; rhost=<myip> user=nonexistuser@pam msg=no such user ('nonexistuser@pam')
    Jun 16 15:03:28 gw2 pvedaemon[260092]: authentication failure; rhost=<myip> user=root@pam msg=Authentication failure
     
    #11 TheReelaatiiv, Jun 16, 2012
    Last edited: Jun 16, 2012
  12. xcooling

    xcooling New Member

    Joined:
    May 24, 2012
    Messages:
    28
    Likes Received:
    0
  13. emanuelebruno

    emanuelebruno Member

    Joined:
    May 1, 2012
    Messages:
    113
    Likes Received:
    0
    according to this web site http://extremeshok.com/blog/debian/...stallation-fail2ban-sysctl-hosts-ip-spoofing/ , I have met this message after digiting "fail2ban-regex /var/log/daemon.log /etc/fail2ban/filter.d/proxmox2.conf" command:

    ***
    /usr/share/fail2ban/server/filter.py:442: DeprecationWarning: the md5 module is deprecated; use hashlib instead
    import md5

    Running tests
    =============

    Use regex file : /etc/fail2ban/filter.d/proxmox2.conf
    Use log file : /var/log/daemon.log


    Results
    =======

    Failregex
    |- Regular expressions:
    | [1] pvedaemon\[.*authentication failure; rhost=<HOST> user=.*msg=.*
    |
    `- Number of matches:
    [1] 0 match(es)

    Ignoreregex
    |- Regular expressions:
    |
    `- Number of matches:

    Summary
    =======

    Sorry, no match

    Look at the above section 'Running tests' which could contain important
    information.
    ***
    I have copied exactly as in the web site.... anyone met this error?
    Sincerely,
    Emanuele Bruno.
     
  14. xcooling

    xcooling New Member

    Joined:
    May 24, 2012
    Messages:
    28
    Likes Received:
    0
    THATS NOT AN ERROR.
    it is telling you, you have no matches, ie. no one has been brute forcing the interface according to the current logs
     
  15. chrisduncansb

    chrisduncansb New Member

    Joined:
    Aug 8, 2012
    Messages:
    1
    Likes Received:
    0
    So I implemented the above step by step in my Proxmox 1.7 install. The SSH fail2ban is working, but http/https doesn't seem to work. I can continue to attempt to log in after 3 failed attempts, and the

    I can see the log in attempts in the apache2/access.log and the summary under running tests is blank.

    Any ideas what could be wrong?
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice